CentOS - Aug 2015 - Apache mod_perl cross site scripting vulnerability

On 2015-Aug-11 19:57, Ellen Shull wrote:
> On Tue, Aug 11, 2015 at 4:46 AM, Proxy One <proxy-one at mail.ru>
wrote:
> 
> > I haven't used <Location /perl-status> but Trustwave still
finds me
> > vulnerable.
> >
> [...]
> > Response: HTTP/1.1 404 Not Found
> 
> You clearly aren't serving perl-status; that's a red herring here.
Indeed, I don't have mod_proxy installed. 
> [...]
> > Body: contains
'"><script>alert('xss')</script>'
> 
> That's your problem; they're flagging you for an XSS
"vulnerability".
> I'm guessing you have a custom 404 page that naively echoes the entire
> request URL as part of the page?  You need to be using
> htmlspecialchars() or HTML::Entities or whatever your
> language/environment has to escape strings for safe inclusion in HTML
> content.
There is PHP generated 404 page. I'll check that with web developer.
What's strange, I'm trying to reproduce this and I don't see that
string. Trustwave support suggested I use Burp Suite and it's repeater
tool. I find some windows machine, installed it and all I see inside
body is "Unable to resolve the request
"perl-status/APR::SockAddr::port".

Is there way to use curl for testing? I'm getting new line because of
the single quote inside string and escaping it with back slash gives me 
bash: syntax error near unexpected token `<'

> There is of course more to it than that (sigh), try for starters:
>
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
Very nice reading, thanks!

On Wed, Aug 12, 2015 at 3:39 AM, Proxy One <proxy-one at mail.ru>
wrote:
> Is there way to use curl for testing? I'm getting new line because of
> the single quote inside string and escaping it with back slash gives me
> bash: syntax error near unexpected token `<'
You can use curl's -K option which lets you stick arguments in a file,
helpful for getting around shell quoting nightmares.  For example make
a file named test-url-file which contains the line
url = http://www.mydomain.com/[bad stuff, don't want this message
tripping over some filter for containing a malicious-looking URL]

then do curl -g -K test-url-file

Note that just gets you around shell interpretation; curl does some of
its own as well.  the -g switch I used there disables its
interpretation of {}[] as special globbing characters.  If you put the
url in double quotes then not only do you have to escape any double
quotes in the string, it also starts interpreting backslash sequences
so you have to double all backslashes--so oddly it's best to just
leave quotes off.

--ln

On 2015-Aug-12 05:17, Ellen Shull wrote:
> On Wed, Aug 12, 2015 at 3:39 AM, Proxy One <proxy-one at mail.ru>
wrote:
> > Is there way to use curl for testing? I'm getting new line because
of
> > the single quote inside string and escaping it with back slash gives
me
> > bash: syntax error near unexpected token `<'
> 
> You can use curl's -K option which lets you stick arguments in a file,
> helpful for getting around shell quoting nightmares.  For example make
> a file named test-url-file which contains the line
> url = http://www.mydomain.com/[bad stuff, don't want this message
> tripping over some filter for containing a malicious-looking URL]
> 
> then do curl -g -K test-url-file
> 
> Note that just gets you around shell interpretation; curl does some of
> its own as well.  the -g switch I used there disables its
> interpretation of {}[] as special globbing characters.  If you put the
> url in double quotes then not only do you have to escape any double
> quotes in the string, it also starts interpreting backslash sequences
> so you have to double all backslashes--so oddly it's best to just
> leave quotes off.
Thanks, it works! I was able to reproduce problem and was able to see
how my changes affected response from the server.