[26129] in bugtraq
Lil'HTTP Pbcgi.cgi XSS Vulnerability
daemon@ATHENA.MIT.EDU (Matthew Murphy)
Thu Jul 11 16:50:34 2002
Message-ID: <000701c228f3$c92f9d20$e62d1c41@kc.rr.com>
From: "Matthew Murphy" <mattmurphy@kc.rr.com>
To: <bugtraq@securityfocus.com>, "SecurITeam News" <news@securiteam.com>
Date: Thu, 11 Jul 2002 10:58:23 -0500
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Recently, I reported on a vulnerability in the Urlcount.cgi script of
Lil'HTTP Server (Summit Computer Networks). This time, another
CGI (pbcgi.cgi) has been found vulnerable to cross-site scripting.
Some versions of this CGI will take the form input you POST/GET
to it, and break it into name/e-mail. It does not properly sanitize
the input used in this process, making it vulnerable to cross-site
scripting attacks.
Although the entire form data string is not decoded (and thus is
not vulnerable to XSS in most browsers), the "Name" and "E-mail"
strings that the CGI creates ARE decoded, resulting in a security
issue:
http://localhost:81/pbcgi.cgi?name=Matthew%20Murphy&email=%3CSCRIPT%3Ealert%
28%27xss%27%29%3B%3C%2FSCRIPT%3E
Given the lack of a response from PowerBASIC with my previous
issue, I do not expect the vendor to release a fix anytime soon.
Vulnerable administrators should remove the pbcgi.cgi application
from their CGI-BIN folder.
"The reason the mainstream is thought
of as a stream is because it is
so shallow."
- Author Unknown
