IPCop proxylog.dat Cross Site Scripting Vulnerability
1 Dec. 2004
Summary
IPCop "implements existing technology, secure programming practices and outstanding new concepts to make it the Linux Distribution for protecting single home computers, to large corporate networks from intrusions and attacks".
A vulnerability in the way IPCop displays log files allows a remote attacker to initiate a cross site scripting attack against the administrator of IPCop that is currently viewing the product's log files.
Vulnerable Systems:
* IPCop version 1.4.1 and prior
The "proxylog.dat" page allows the IPCop administrators to review browsed websites that have been processed through Squid. By creating a specially crafted HTTP request, it is possible to inject script code into the "proxylog.dat" page. This occurs as the variables "$url" and "$part" are not properly sanitized before being sent to the user. When the administrators view the page, the script code will be executed.
Proof of Concept:
The following HTTP request example will cause script injection into the proxy log: GET /<script>alert('XSS_PoC')</script> HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: example.com
Connection: Close
Workaround:
1) Open /home/httpd/cgi-bin/logs.cgi/proxylog.dat
2) Locate the following text: unless (length($part) < 60) { $part = "${part}..."; }
3) Insert the following five lines below:
#Filter out < and >
$url =~s/</</g;
$part =~s/</</g;
$url =~s/>/>/g;
$part =~s/>/>/g;
