Just opened the knowledge base for your reading pleasure 😀 You will find lots of good papers and such one a wide range of subjects related to security. I will be adding more every day so check back often! Also feel free to make suggestions on any great papers or what not you have come across recently, i would be happy to add them to the list.
I dont normally make posts about XSS exploits unless there is some special circumstances. I picked this one because BackupPC is a popular network backup tool that you might find in networks all over the place and because there is no built in security you normally only find it on “secure” trusted networks.
So anyway the issue is in Browse.pm. It gets a num variable passed to it via get request, then displays the unsanitary input back to the user. So heres PoCs of both the vectors i found.
PoC 1: http://target.server/cgi-bin/BackupPC_Admin?action=browse&host=realhostneeded&num=1[XSS] – comes back as a valid request and runs XSS
PoC 2: http://target.server/cgi-bin/BackupPC_Admin?action=browse&host=realhostneeded&num=[XSS] – comes back as ERROR and runs XSS
Like most XSS holes its a easy fix, just edit line 55 in /usr/local/BackupPC/lib/BackupPC/CGI/Browse.pm to read like so:
my $num = ${EscHTML($In{num})};
or download this Browse.pm file and replace it with the one in /usr/local/BackupPC/lib/BackupPC/CGI/ on the installed server.
Ok thats it, peace.
Check out the new “Protect your self” section under projects. It has advice from protecting your files online to what to do when you get pulled over by the man. So go read, and educate your self so you can protect your self 😛