Recently, I reported on a vulnerability in the Urlcount.cgi script of Lil'HTTP Server (Summit Computer Networks). This time, another CGI (pbcgi.cgi) has been found vulnerable to cross-site scripting. Some versions of this CGI will take the form input you POST/GET to it, and break it into name/e-mail. It does not properly sanitize the input used in this process, making it vulnerable to cross-site scripting attacks. Although the entire form data string is not decoded (and thus is not vulnerable to XSS in most browsers), the "Name" and "E-mail" strings that the CGI creates ARE decoded, resulting in a security issue: http://localhost:81/pbcgi.cgi?name=Matthew%20Murphy&email=%3CSCRIPT%3Ealert% 28%27xss%27%29%3B%3C%2FSCRIPT%3E Given the lack of a response from PowerBASIC with my previous issue, I do not expect the vendor to release a fix anytime soon. Vulnerable administrators should remove the pbcgi.cgi application from their CGI-BIN folder. "The reason the mainstream is thought of as a stream is because it is so shallow." - Author Unknown
This archive was generated by hypermail 2b30 : Thu Jul 11 2002 - 13:50:20 PDT