Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

TRACKtheCLICK Script Injection Vulnerabilities

From: "BrainRawt" <brainrawt () haxworx com>
Date: Sat, 11 Oct 2003 01:32:25 -0500
 Scripts4webmasters.com TRACKtheCLICK Script Injection Vulnerabilities 
 Discovered By Chris Rahm (aka: BrainRawt) (brainrawt () haxworx com)


 About TRACKtheCLICK:
 --------------------
 A perl coded CGI that tracks your email, ezine, banner, and web site 
 links. TRACKtheCLICK outputs log information to a data file that in
 return is viewable in an organized HTML format through the use of
 another CGI called admin.cgi.

 TRACKtheCLICK can be downloaded from the following address.

 http://www.scripts4webmasters.com/clicktracking/index.shtml

 Vulnerable Version:
 -------------------
 Version 1.0


 Vendor Contact:
 ----------------
 10-5-03  - Emailed webmaster () scripts4webmasters com
 
 10-10-03 - No Response 


 Vulnerability:
 ----------------
 Due to a lack of filtering in click.cgi, scalars $agent and $referer are
 vulnerable to script injection.  An individual can inject malicious code
 to the data file by spoofing their User-Agent: and/or Referer:.  When the
 data file is opened by admin.cgi, the injected code will be executed by 
 that persons browser.

 --------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: