The following cross-site scripting vulnerability was reported in cgiwrap. This has just been corrected in version 3.7 which has just been released. http://prdownloads.sourceforge.net/cgiwrap/cgiwrap-3.7.tar.gz All error message output is now html encoded to prevent this problem. -- Nathan > "TAKAGI, Hiromitsu" wrote: > > > > Hi, > > > > I found a cross-site scripting vulnerability in CGIWrap. Cookies > > issued by the server on which CGIWrap is installed can be stolen. > > > > Please try to access the following URLs. > > > > Confirming the bug: > > http://www.unixtools.org/cgi-bin/cgiwrap/%3CS%3E > > http://www.unixtools.org/cgi-bin/cgiwrap/> > > http://www.unixtools.org/cgi-bin/cgiwrap/~nneul/>TEST</S> > > JavaScript code will be executed: > > http://www.unixtools.org/cgi-bin/cgiwrap/~nneul/