Secunia Research: BRS WebWeaver Error Page Cross-Site Scripting Vulnerability

====================================================================== 

                      Secunia Research 26/06/2003 

   - BRS WebWeaver Error Page Cross-Site Scripting Vulnerability - 

====================================================================== 
Receive Secunia Security Advisories for free: 
http://www.secunia.com/secunia_security_advisories/

====================================================================== 
Table of Contents 
1....................................................Affected Software 
2.............................................................Severity 
3.....................................Vendor's Description of Software 
4.........................................Description of Vulnerability 
5.............................................................Solution 
6...........................................................Time Table 
7..............................................................Credits 
8........................................................About Secunia 
9.........................................................Verification 

====================================================================== 
1) Affected Software 

BRS WebWeaver 1.0.4 
BRS WebWeaver 1.0.3 

NOTE: Prior versions have not been tested but may also be vulnerable. 

====================================================================== 
2) Severity 

Rating:  Less critical 
Impact:  Cross-Site Scripting 
Where:   From Remote 

====================================================================== 
3) Vendor's Description of Software 

"BRS WebWeaver is a free personal web server that run on the Windows
platform. Even with it's small size ( ~375 KB ) and low memory
requirements (~4 MB) it provides lots of functionality at speeds that
will impress you." 

Vendor: 
http://www.brswebweaver.com

====================================================================== 
4) Description of Vulnerability 

A vulnerability has been identified in BRS WebWeaver, which can be
exploited by malicious people to conduct Cross-Site Scripting attacks
against visitors. 

The vulnerability is caused due to a lack of input validation, since 
the name of a resource requested by a user is included in certain 
error pages without prior sanitation. 

A malicious person can exploit this by constructing a link, which
includes arbitrary script code. If a user is tricked into clicking 
the link or visit a malicious website, the script code will be 
executed in the user's browser session. 

Successful exploitation may result in disclosure of various 
information (e.g. cookie-based authentication information) 
associated with the site running BRS WebWeaver, or inclusion of
malicious content, which the user thinks is part of the real website. 

Example exploiting a "404 Not Found" error page: 
http://[victim]/<script>alert(document.domain)</script> 

Example exploiting a "403 Access Denied": 
http://[victim]/<script>alert(document.domain)</script>AAA..[196]..AAA

====================================================================== 
5) Solution 

Update to version 1.05: 
http://www.brswebweaver.com/modules.php?op=modload&name=News&file=article&sid=2
====================================================================== 
6) Time Table 

26/04/2003 - Vulnerability discovered. 
29/04/2003 - Vendor notified (info@brswebweaver.com). 
07/05/2003 - Vendor notified again. 
07/05/2003 - Vendor reply. 
03/06/2003 - Vendor releases v1.05 BETA. 
24/06/2003 - Vendor releases v1.05. 
26/06/2003 - Public disclosure. 

====================================================================== 
7) Credits 

Discovered by Carsten Eiram, Secunia Research. 

====================================================================== 
8) About Secunia 

Secunia collects, validates, assesses and writes advisories regarding 
all the latest software vulnerabilities disclosed to the public. These 
advisories are gathered in a publicly available database at the 
Secunia website: 

http://www.secunia.com/

Secunia offers services to our customers enabling them to receive all 
relevant vulnerability information to their specific system 
configuration. 

Secunia offers a FREE mailing list called Secunia Security Advisories: 

http://www.secunia.com/secunia_security_advisories/

====================================================================== 
9) Verification 

Please verify this advisory by visiting the Secunia website: 
http://www.secunia.com/secunia_research/2003-6/
======================================================================