------------------------------------------------------------ - EXPL-A-2005-014 exploitlabs.com Advisory 043 - ------------------------------------------------------------ -perldiver - AFFECTED PRODUCTS ================= Perldiver v1.x and 2.x http://scriptsolutions.com/ OVERVIEW ======== Perl Diver digs into your server's perl installation and giving you the information you need and quick and easy to find manner. DETAILS ======= 1. XSS Perldiver does not properly filter malicious script content. XSS my be inserted in the "module" parameter. ( v2.x ) or as a GET request in the main script ( v1.x ) The malicious script is the rendered and is executed in the context of the users brower. POC === 1.x ------ http://[host]/[path]/perldiver.pl?testhere 2.x ------ http://[host]/[path]/perldiver.cgi?action=2020&module= bonus vendor site vuln: http://www.scriptsolutions.com/programs/free/perldiver/perldiver.cgi?action=2020&module= SOLUTION: ========= vendor contact: Sept 14, 2005 http://www.scriptsolutions.com/support/postlist.pl?Cat=&Board=DDBugs response Sept 15, 2005 If you are a current PerlDiver user, you can either download the updated version, or insert the following line after my $module = param( 'module' ); in the module_detail subroutine: $module =~ s/^([A-Za-z0-9]|:)//g; updated version: http://www.scriptsolutions.com/support/showflat.pl?Board=DLPerlDiver&Number=446 http://www.scriptsolutions.com/support/files/4-446-perldiver.zip Credits ======= This vulnerability was discovered and researched by Donnie Werner of exploitlabs mail: wood at exploitlabs.com mail: morning_wood at zone-h.org -- web: http://exploitlabs.com web: http://zone-h.org orig advisory: http://exploitlabs.com/files/advisories/EXPL-A-2005-014-perldiver.txt _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/