2008-08-23 19:23:26

OpenBSD CVSweb or how not to fix XSS

A while ago, a Cross Site Scripting (XSS) vulnerability had been found in CVSweb, as used by the OpenBSD Project.

XSS basics

Now, the name Cross Site Scripting may potentially be very misleading. In fact the problem is that you can insert arbitrary HTML code into the web site. This also means you can fake information displayed in the site; thanks to CSS and related tricks, no JavaScript is required for this anymore. The term Cross Site Scripting actually comes from the one possible scenario where JavaScript code is injected into the web site which can do arbitrary things, even send requests back to the web server of an attacker, e.g. with the password from some login page.

However, this is just one possible scenario. In any case, fake information can be injected into the web site to make it appear as something different.

The correct fix is of course to encode user input properly before displaying it on the web site, just like it's done with user input meant to be used in SQL statements (in SQL injection attacks, this is not done properly). Normally, languages used to design web applications already provide means to encode user input for use in web sites; for example, Perl has encode_entities() in the HTML::Parser package.

(For more information on Cross Site Scripting, please refer to my lecture about common security problems at the Chaos Communication Congress

OpenBSD's fix

Rather than to encode the input in question properly and to verify its validity, the OpenBSD people decided to go a very unconventional (and useless) way in fixing the problem. A JavaScript was added to the web site redirecting to a web site stating that JavaScript sucks. This web site goes on to state:

Javascript Just Sucks

CVSweb takes input to a cgi script to show you source code, which it sanitizes to protect itself. It doesn't care how insecure your web browser is.

Nothing on www.openbsd.org cares about Cross Site Scripting, since we don't use cookies or any form of authentication. However since your web browser will accept script calls in a url that some idiot could send you URL with a script embedded in it to make your browser go somewhere else from a url that starts with www.openbsd.org. Somehow the XSS wankers feel this affects openbsd.org's street cred. Mystifying to me, since if you decide to visit this site with a web browser that does rm -rf / every time your browser sees the word "elephant" - well you just got pwned too.. The problem is your browser.

Of course to remove all special chars in input fields for cvsweb means you can't look for interesting stuff in code. So, someday I might take the time to try to do that, without making cvsweb useless. In the meantime, just turn off javascript when visiting this site, use a browser that doesn't support it, or use the firefox noscript extension and you'll see cvsweb just fine, once you revisit it at http://www.openbsd.org/cgi-bin/cvsweb

The claim that the problem is only in the browser is of course entirely wrong. The web site contains additional information which is not supposed to be there, and the browser cannot tell the difference between wanted and unwanted content. If the input is not properly sanitized, this of course means that the browser will interprete it wrong.

If, for example, you visit the above link with JavaScript disabled, you will still see the headline ”Only 2 Remote bugs“ which clearly does not belong there. The fix is not working.

Posted by Tonnerre Lombard | Permanent link | File under: security, programming