XSS vulnerability and broken code in LSWS Server Log Viewer

brrr

Well-Known Member
#1
LSWS Standard Edition 4.0.14 has a potential XSS vulnerability within the Web Administration Console, specifically within the Server Log Viewer.

This vulnerability arises because LSWS does not sanitise the request data presented to the client browser by the Server Log Viewer. This allows potentially malicious code - including Javascript - to run on the Administrator's browser client within their authenticated session.

I think this needs to be fixed. Bad things can potentially happen.

The lack of sanitisation of the request data presented in the Server Log Viewer can also cause the page HTML of the Server Log Viewer to break or render improperly.


The images below illustrate these problems.

The first image shows a Javascript popup message being displayed in the browser once a page of Server Log Viewer results is displayed.

lsws-server-log-vul1.jpg

This is produced by the Server Log Viewer displaying the following request that generated a 404:

Code:
2010-04-22 13:22:58.083 INFO [12.345.678.910:3892-0#Example] File not found [/opt/lsws/DEFAULT/html/<br><br><script>alert("Vulnerable")</script>.jsp]
The second image shows the broken HTML rendering of the bottom of the Server Log Viewer page visible on the same page.

lsws-server-log-vul2a.jpg

When you examine the HTML at the bottom of that page, this is the HTML that causes the page display to break, by introducing an unclosed script string:

Code:
<tr><td class="log_I0">2010-04-22 13:22:58.123</td><td class="log_I1">INFO</td><td class="log_I2">[12.345.678.910:3894-0#Example] File not found [/opt/lsws/DEFAULT/html/<br><br><script>alert(\]</td></tr>
From this point forward in the page, the page renders in-correctly - eg the 'Begin' 'Prev' 'Refresh' 'Next' 'End' buttons that should appear at the bottom of the page are no longer visible on the page.

Browser used was Opera 9 but both of these issues could occur in many other browsers. LSWS version used was 4.0.14 Std but the same problem may occur in other LSWS editions.

FYI.
 

Lauren

LiteSpeed Staff
Staff member
#2
if you do view source, the <script> tag should already be encoded.
tested on firefox, chrome, opera 10, cannot reproduce this.
 

brrr

Well-Known Member
#3
I can easily reproduce this on firefox 3.0.11 too.

I'll try and sent you a pm with an attached htm file that is a straight View Source > Save of a page with the offending code. To open the file, go File > Open in firefox and see what happens.

Even when you open the plain htm file (which doesn't load any images, CSS or external javascripts) even Firefox 3 throws up the javascript popup shown above.

Probably other browsers will do the same. I haven't checked widely.

I think you need to re-check the HTML code parsing routine you are using to ensure that no active <script> tags remain in the code you display here.
 
Top