Lil'HTTP Pbcgi.cgi XSS Vulnerability
by Nikola Strahija on July 12th, 2002 Some versions of this CGI will take the form input you POST/GET to it, and break it into name/e-mail. It does not properly sanitize the input used in this process, making it vulnerable to cross-site scripting attacks.
Although the entire form data string is not decoded (and thus is
not vulnerable to XSS in most browsers), the "Name" and "E-mail"
strings that the CGI creates ARE decoded, resulting in a security
issue:
http://localhost:81/pbcgi.cgi?name=Matthew%20Murphy&email=%3CSCRIPT%3Ealert%
28%27xss%27%29%3B%3C%2FSCRIPT%3E
Given the lack of a response from PowerBASIC with my previous
issue, I do not expect the vendor to release a fix anytime soon.
Vulnerable administrators should remove the pbcgi.cgi application
from their CGI-BIN folder.