Cross script vulnerability (XSS) in httpd

Savvas Karagiannidis karagian at gmail.com
Wed Jan 29 05:38:43 EST 2020


Hi,
not sure if this is an actual issue, so I'm posting it here first, in case
someone knows better.
We recently ran a vulnerability assessment using nessus against our server
running cyrus and it detected the following medium risk XSS issue (the
actual report is at the bottom of the email)

9080 is the custom port https is configured to listen on.

>From what I understand it seems that someone could craft a special request
and enter script code via the headers sent, code that appears in the
response and could actually be executed in case a browser is used.

The report had multiple example requests, but technically they were all the
same, so I'm just attaching the first example request that confirms the
issue.

Regards,
Savvas Karagiannidis


Here's the related part of the report:

Synopsis
The remote web server is affected by a cross-site scripting vulnerability.
Description
The remote host is running a web server that fails to adequately sanitize
request strings of malicious JavaScript. A remote attacker can exploit this
issue, via a specially crafted request, to execute arbitrary HTML and
script code in a user's browser within the security context of the affected
site.
See Also

https://en.wikipedia.org/wiki/Cross-site_scripting
Solution
Contact the vendor for a patch or upgrade.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
3.7 (CVSS2#E:H/RL:OF/RC:C)
References


BID 5011 <http://www.securityfocus.com/bid/5011>
BID 5305 <http://www.securityfocus.com/bid/5305>
BID 7344 <http://www.securityfocus.com/bid/7344>
BID 7353 <http://www.securityfocus.com/bid/7353>
BID 8037 <http://www.securityfocus.com/bid/8037>
BID 14473 <http://www.securityfocus.com/bid/14473>
BID 17408 <http://www.securityfocus.com/bid/17408>
BID 54344 <http://www.securityfocus.com/bid/54344>
CVE CVE-2002-1060
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1060>
CVE CVE-2002-1700
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1700>
CVE CVE-2003-1543
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1543>
CVE CVE-2005-2453
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2453>
CVE CVE-2006-1681
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1681>
CVE CVE-2012-3382
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3382>
XREF CWE:79 <http://cwe.mitre.org/data/definitions/79>
Plugin Information
Published: 2001/11/30, Modified: 2018/07/06
Plugin Output
tcp/9080
------------------------------ Request #1 ------------------------------

The full request used to detect this flaw was :

GET /cgi-bin/llknxx7s.html HTTP/1.1
Host: <script>alert(Host)</script>:9080
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*



The output was :

HTTP/1.1 404 Not Found
Date: Thu, 23 Jan 2020 18:13:22 GMT
Connection: close, Upgrade
Upgrade:
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 437


[...] Jansson/2.9 Server at <script>alert(Host)</script> Port
9080</address></ [...]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20200129/8cddc0de/attachment.html>


More information about the Info-cyrus mailing list