Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Lil'HTTP Pbcgi.cgi XSS Vulnerability

Lil'HTTP Pbcgi.cgi XSS Vulnerability

by Nikola Strahija on July 12th, 2002 Some versions of this CGI will take the form input you POST/GET to it, and break it into name/e-mail. It does not properly sanitize the input used in this process, making it vulnerable to cross-site scripting attacks.


Although the entire form data string is not decoded (and thus is
not vulnerable to XSS in most browsers), the "Name" and "E-mail"
strings that the CGI creates ARE decoded, resulting in a security
issue:

http://localhost:81/pbcgi.cgi?name=Matthew%20Murphy&email=%3CSCRIPT%3Ealert%
28%27xss%27%29%3B%3C%2FSCRIPT%3E

Given the lack of a response from PowerBASIC with my previous
issue, I do not expect the vendor to release a fix anytime soon.

Vulnerable administrators should remove the pbcgi.cgi application
from their CGI-BIN folder.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »