Affiliate php script

PITTSBURGH, PENNSYLVANIA, U.S.A., 2000 FEB 3 (NB) -- Experts are warning about a newly understood - and potentially huge - hole in Web-surfing security that cuts across just about all Web servers and browsers. What's more, the problem has existed virtually since the dawn of browser-based programming languages such as JavaScript.

In hindsight, the issue they are calling "cross-site scripting" (CSS) seems so obvious that security pros - and probably many hackers - are slapping their foreheads for not having figured it out before. And, in an unusual move, the federally funded CERT Coordination Center at Carnegie Mellon University in Pittsburgh, and a host of Web server and browser vendors, are providing detailed information on how CSS works in a concerted effort to rid the Web of the dangers it poses.

At the heart of CSS is the ability to inject malicious scripts into pages that are generated dynamically by Web servers. The dynamic pages may be served up by programs know as CGI (common gateway interface) applications or server-side, page-based languages such as PHP or Microsoft's Active Server Pages. Such applications frequently take user input and then redisplay it on a dynamically generated page.

CERT said a simple example would be a Website-search tool which, in displaying its results, prints out the word or phrase the user typed.

If the regurgitated input contained, say, a functional JavaScript program, the script could execute within the browser of the user viewing the page. CERT said the end results of well-executed attacks using malicious scripts could run the gamut from displaying bogus text to swiping credit-card information while the user is browsing a site they have every reason to trust.

Jeff Havrilla, a member of the technical staff at the CERT Coordination Center, told Newsbytes today what investigators realized about three weeks ago - that there are techniques a malicious hacker could use to trick an unsuspecting user into submitting such code to a respected site, such as an online shopping destination.

CERT officials said they have yet to receive a single report of a CSS attack, but added that the technique could be hard to detect. And, although the details of the security hole being published online by CERT and the software vendors could be read as a CSS primer for hackers, Havrilla said the goal is to reach the Website operators, who, ultimately, will be responsible for cleaning up the mess - and to alert Web surfers.

"That's one of the reason we decided to go with multiple documents," he said, "so that we could point people to specific information they would find most useful in either solving the problem ... or protecting themselves as end users."

The key issues behind CSS are not directly related to a bug in any vendor's Web server or browser software, CERT said in the advisory it first published Wednesday. And, ironically, most Web developers have been aware of the fundamental principles for years.

For example, CERT said, sites which operate online message boards or Web-based chat rooms learned long ago to strip code such as JavaScript routines out of text submitted by users. If they didn't, such code could execute in the browsers of other visitors who later read the pranksters' posts.

But the picture CERT painted this week was of a Web wide open to such malicious insertion of scripts into a wide variety of dynamically generated pages that many Webmasters may not have thought needed to be more secure.

The security experts call it "cross-site" scripting because they suggest the most-likely scenario for a serious attack would see the malicious code embedded on one Website in a hypertext link that points to a dynamically-generated page on another site.

If the destination on the target site is something innocuous - like a CGI application that processes a feedback form - it's entirely possible that programmers did not bother to build into their own code the kinds of script-killing routines they would regularly have placed behind an online message board. If that feedback handler also displays a copy of the user's submission to the Web surfer - as many do - the malicious script could be embedded on the resulting page and executed in the unsuspecting user's browser.

CERT said one reason for the lack of security in many such dynamic Web applications may be that developers would not expect a user to "hack" a page - such as a feedback response - that only they would see. But they say the concept of the malicious code coming from another site without the Web surfer's knowledge casts an entirely new light on the problem.

Now, they say, it's easy to imagine code imbedded in a hypertext link on a remote Website or arriving via an e-mail message being turned into a live and potentially malicious script on a destination trusted by the user.

With some fancy programming, combined with careful analysis of target sites, a malicious hacker could create a script that captures passwords or credit card numbers entered by users in the Web-based forms of e-commerce sites and then send that data back to the hacker, CERT warned.

What's more, said CERT, CSS offers evil-doers the ability to create scripts that can be imbedded in browser cookies and potentially activated every time the user returns to the target site. While activating a script via browser cookies is not new, the CSS approach allows a hacker to get around the hurdle that cookies can be accessed only when communicating with the Web server associated with it. Through CSS, CERT said, the "poisoned cookie" would be associated with the trusted site.

Havrilla said the CERT team doesn't yet know for sure exactly how widespread the problem is, other than that its preliminary investigation suggests it is common.

"It's still a little too soon to really have a lot of feedback regarding this issue," he said. "It's going to take some time for the community to be able to digest the information that we published. It took us a long time to wrap our own brains around the issues and the problems."

CERT said that for an attack to be successful, two conditions have to be met:

- Firstly, the target Website has to be able to generate a dynamic page that spits back intact an executable script sent to it.

- Secondly, the unsuspecting user has to be enticed to make the connection from the source of the malicious code to the target site, probably by clicking on a link at another Website or in an e- mail message.

Throughout a Web sprouting with advertising banners and affiliate- program links to online retail sales and Web-searches, the opportunities to set up legitimate-looking traps are endless.

While CERT is asking surfers to click carefully, it pointed out that cleaning up the problem initially will require Web developers to check all their interactive programs to ensure that they don't regurgitate potentially spurious code without first making it inactive as a script. Techniques for turning code into printable text instead of an executable script - or for stripping it out altogether - are well-known, but investigators have already found some obscure shortcomings with some of these fixes.

"There's lots of issues surrounding which characters sets they're using," Havrilla said. "Browsers today are international products, and it appears to be commonplace that people have fixed this problem for regular Latin characters but may have overlooked it when it comes to some of the Asian alphabets, for example."

The result, he said, is that software routines designed to hunt down scripts in data submitted to Websites can overlook executable scripts represented in the alternate character sets.

In addition, CERT warned, not all dynamically generated pages on a Website are created by programs written by site developers. For example, it said, most Web servers are programmed to generate certain responses themselves - such as the familiar "Page not found" report users often see and some system-related displays usually reserved for administrators.

The Apache Software Foundation has released a patch for one such feature of its freely available Web server which, in certain instances related to the character-set issue, could return dynamically generated information to a user's browser without first neutralizing embedded codes.

And, as an example of how easy it is to write programs that are open to CSS attacks, both Apache and Sun Microsystems have published lists of "sample" CGI programs shipped with their servers that Webmasters should remove from these sites. Hackers know that these samples are often left online when Web servers are installed.

More information on the CERT advisory can be found on the Web at: http://www.cert.org/advisories/CA-2000-02.html

Reported by Newsbytes.com, http://www.newsbytes.com

(20000203/Press contact: Bill Pollak, CERT, 412-268-4793 /WIRES ONLINE, PC, BUSINESS, LEGAL/HOLE/PHOTO)

COPYRIGHT 2000 Newsbytes News Network
COPYRIGHT 2000 Gale Group