Users login

Create an account »


Users login

Home » Hacking News » Lil'HTTP Pbcgi.cgi XSS Vulnerability

Lil'HTTP Pbcgi.cgi XSS Vulnerability

by Nikola Strahija on July 12th, 2002 Some versions of this CGI will take the form input you POST/GET to it, and break it into name/e-mail. It does not properly sanitize the input used in this process, making it vulnerable to cross-site scripting attacks.

Although the entire form data string is not decoded (and thus is
not vulnerable to XSS in most browsers), the "Name" and "E-mail"
strings that the CGI creates ARE decoded, resulting in a security


Given the lack of a response from PowerBASIC with my previous
issue, I do not expect the vendor to release a fix anytime soon.

Vulnerable administrators should remove the pbcgi.cgi application
from their CGI-BIN folder.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »