Another Faq-O-Matic XSS Vuln? ----------------------------- I have seen other XSS advisories on bugtraq and securityfocus for Faq-O-Matic, but I have not seen an advisory for this particular vulnerability. Faq-O-Matic XSS (cross site scripting) Vulnerability Disovered By BrainRawt (http://rawt.daemon.sh) About Faq-O-Matic: ------------------ The Faq-O-Matic is a CGI-based system that automates the process of maintaining a FAQ (or Frequently Asked Questions list). It allows visitors to your FAQ to take part in keeping it up-to-date. Faq-O-Matic can be downloaded @ http://sourceforge.net/projects/faqomatic Vulnerable (tested) Versions: -------------------- Faq-O-Matic 2.712 Faq-O-Matic 2.711 Vendor Contact: ---------------- 4-19-02 - An email was sent to jonhowell at users.sourceforge.net discussing this issue. 4-19-02 0 An email was received from Jon Howell claiming that this vulnerability and others have been fixed in the current CVS tree, which hasnt been released yet. NOTE: Jon seems like a great guy and as you can see by the date, replied to my email VERY quickly. Thanks alot Jon for your quick reply and I hope to see that new CVS tree released soon. Vulnerability: ---------------- Faq-O-Matics fom.cgi improperly filters "file" which can be changed by visitors to the site. If the "file" doesnt exist, the script prints it to the html. A malicious vistor to this website can change "file" from its original call and insert javascript into the site. This vulnerability can be used for various reasons from website redirection to cookie theft. Exploit (POC): ---------------- http://www.target.net/path_to_Faq-O-Matic/fom?file=