Technical Details of Urlcount.cgi Vulnerability

["Matthew Murphy" <mattmurphy () kc rr com>]

When I informed Summit Computer Networks' Scott
Slater about the Urlcount.cgi vulnerability, he replied to
me that the application was property of PowerBASIC,
and that he would forward it on.  Hearing nothing from
either Slater, or PowerBASIC, Inc. in nearly two
weeks, and in response to requests for information from
list readers, I have decided to make details of the
vulnerability public.

Urlcount.cgi is a small CGI executable that ships with
the server to serve as a hit counter.  When given a
query string beginning with "url:", the CGI returns the
number of hits the URL has received.  When the query
string is "REPORT", the counter data sheet is returned.

If neither condition is met, the CGI saves the URL to
urlcount.ini, or increments its counter there.  A flaw in
the input sanitation of the CGI's saved data could allow
an attacker who could access the CGI to submit a
maliciously designed request to the CGI, and then send
a targeted visitor to view the counter report.

If this is exploited correctly, it allows script to be run
in the context of the targeted site by malicious attackers.
The CGI does appear to filter script tags, but not events
fired by other types of elements.

If a malicious webmaster requested this URL:

http://target/urlcount.cgi?%3CIMG%20SRC%3D%22%22%20ONERROR%3D%22alert%28%27x
ss%27%29%22%3E

Any user who executed this URL:

http://target/urlcount.cgi?REPORT

Would be at risk of an attack targeted at their browser
in the name of the attacked site.

"The reason the mainstream is thought
of as a stream is because it is
so shallow."
                     - Author Unknown