Bugtraq mailing list archives

Lil'HTTP Pbcgi.cgi XSS Vulnerability

From: "Matthew Murphy" <mattmurphy () kc rr com>
Date: Thu, 11 Jul 2002 10:58:23 -0500

Recently, I reported on a vulnerability in the Urlcount.cgi script of
Lil'HTTP Server (Summit Computer Networks).  This time, another
CGI (pbcgi.cgi) has been found vulnerable to cross-site scripting.

Some versions of this CGI will take the form input you POST/GET
to it, and break it into name/e-mail.  It does not properly sanitize
the input used in this process, making it vulnerable to cross-site
scripting attacks.

Although the entire form data string is not decoded (and thus is
not vulnerable to XSS in most browsers), the "Name" and "E-mail"
strings that the CGI creates ARE decoded, resulting in a security
issue:

http://localhost:81/pbcgi.cgi?name=Matthew%20Murphy&email=%3CSCRIPT%3Ealert%
28%27xss%27%29%3B%3C%2FSCRIPT%3E

Given the lack of a response from PowerBASIC with my previous
issue, I do not expect the vendor to release a fix anytime soon.

Vulnerable administrators should remove the pbcgi.cgi application
from their CGI-BIN folder.

"The reason the mainstream is thought
of as a stream is because it is
so shallow."
                     - Author Unknown

Current thread:

Lil'HTTP Pbcgi.cgi XSS Vulnerability Matthew Murphy (Jul 11)