VisNetic WebSite XSS vulnerability through HTTP Referer header
15 Dec. 2002
Summary
VisNetic Website, the first web server developed specifically for Windows, can use almost any development platform, and includes features that allow web developers to create powerful, flexible web sites. VisNetic WebSite is a secure Windows-based web server that supports multiple domains, and allows TLS/SSL secured domains. This web server also includes support for a user database that can restrict access to content, and is immune to many of the security issues that may arise with other popular web servers. A vulnerability in the product allows remote attackers to cause a cross site scripting vulnerability by inserting malicious HTML and/or JavaScript into the HTTP Referer header.
Credit:
The information has been provided by Ory Segal.
Vulnerable systems:
* VisNetic WebSite version 3.5.13.1
Immune systems:
* VisNetic WebSite version 3.5.15
Impact:
Loss of privacy - user cookies associated with the target site may be stolen in some cases.
Technical details:
VisNetic WebSite server will return a customized 404 page when a requested page does not exist. This customized 404 page contains a link to the last visited web page, and by clicking on the link the user is redirected back to where he/she came from. This link is created by using the data in the HTTP 'Referer' header, which is sent automatically by the web browser. By requesting a non-existent page, and changing the HTTP 'Referer' header to contain malicious JavaScript code, an attacker may force the application to return the JavaScript code to the web browser, where it will be executed.
Example Exploit:
The following request will return a JavaScript pop-up screen:
GET /NonExistentPage.html HTTP/1.0
Host: TARGET
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Referer: "></a><scr!pt>alert('Cross Site Scripting')</scr!pt>
