Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Matthew Murphy (mattmurphykc.rr.com)
Date: Mon Jul 08 2002 - 12:06:07 CDT
When I informed Summit Computer Networks' Scott
Slater about the Urlcount.cgi vulnerability, he replied to
me that the application was property of PowerBASIC,
and that he would forward it on. Hearing nothing from
either Slater, or PowerBASIC, Inc. in nearly two
weeks, and in response to requests for information from
list readers, I have decided to make details of the
Urlcount.cgi is a small CGI executable that ships with
the server to serve as a hit counter. When given a
query string beginning with "url:", the CGI returns the
number of hits the URL has received. When the query
string is "REPORT", the counter data sheet is returned.
If neither condition is met, the CGI saves the URL to
urlcount.ini, or increments its counter there. A flaw in
the input sanitation of the CGI's saved data could allow
an attacker who could access the CGI to submit a
maliciously designed request to the CGI, and then send
a targeted visitor to view the counter report.
If this is exploited correctly, it allows script to be run
in the context of the targeted site by malicious attackers.
The CGI does appear to filter script tags, but not events
fired by other types of elements.
If a malicious webmaster requested this URL:
Any user who executed this URL:
Would be at risk of an attack targeted at their browser
in the name of the attacked site.
"The reason the mainstream is thought
of as a stream is because it is
- Author Unknown