[Full-disclosure] perldiver

2005-09-26T00:00:00
ID SECURITYVULNS:DOC:9778
Type securityvulns
Reporter Securityvulns
Modified 2005-09-26T00:00:00

Description


  - EXPL-A-2005-014 exploitlabs.com Advisory 043 -

                      -perldiver -

AFFECTED PRODUCTS

Perldiver v1.x and 2.x http://scriptsolutions.com/

OVERVIEW

Perl Diver digs into your server's perl installation and giving you the information you need and quick and easy to find manner.

DETAILS

  1. XSS

Perldiver does not properly filter malicious script content. XSS my be inserted in the "module" parameter. ( v2.x ) or as a GET request in the main script ( v1.x )

The malicious script is the rendered and is executed in the context of the users brower.

POC

1.x

http://[host]/[path]/perldiver.pl?testhere<SCRIPT>alert(document.domain);</SCRIPT>

2.x

http://[host]/[path]/perldiver.cgi?action=2020&module=<script>document.write(document.domain)</script>

bonus vendor site vuln: http://www.scriptsolutions.com/programs/free/perldiver/perldiver.cgi?action=2020&module=<script>document.write(document.domain)</script>

SOLUTION:

vendor contact: Sept 14, 2005 http://www.scriptsolutions.com/support/postlist.pl?Cat=&Board=DDBugs response Sept 15, 2005

If you are a current PerlDiver user, you can either download the updated version, or insert the following line after my $module = param( 'module' ); in the module_detail subroutine:

$module =~ s/^([A-Za-z0-9]|:)//g;

updated version: http://www.scriptsolutions.com/support/showflat.pl?Board=DLPerlDiver&Number=446 http://www.scriptsolutions.com/support/files/4-446-perldiver.zip

Credits

This vulnerability was discovered and researched by Donnie Werner of exploitlabs

mail: wood at exploitlabs.com mail: morning_wood at zone-h.org -- web: http://exploitlabs.com web: http://zone-h.org

orig advisory: http://exploitlabs.com/files/advisories/EXPL-A-2005-014-perldiver.txt


Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/