OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Matthew Murphy (mattmurphykc.rr.com)
Date: Mon Jul 08 2002 - 12:06:07 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    When I informed Summit Computer Networks' Scott
    Slater about the Urlcount.cgi vulnerability, he replied to
    me that the application was property of PowerBASIC,
    and that he would forward it on. Hearing nothing from
    either Slater, or PowerBASIC, Inc. in nearly two
    weeks, and in response to requests for information from
    list readers, I have decided to make details of the
    vulnerability public.

    Urlcount.cgi is a small CGI executable that ships with
    the server to serve as a hit counter. When given a
    query string beginning with "url:", the CGI returns the
    number of hits the URL has received. When the query
    string is "REPORT", the counter data sheet is returned.

    If neither condition is met, the CGI saves the URL to
    urlcount.ini, or increments its counter there. A flaw in
    the input sanitation of the CGI's saved data could allow
    an attacker who could access the CGI to submit a
    maliciously designed request to the CGI, and then send
    a targeted visitor to view the counter report.

    If this is exploited correctly, it allows script to be run
    in the context of the targeted site by malicious attackers.
    The CGI does appear to filter script tags, but not events
    fired by other types of elements.

    If a malicious webmaster requested this URL:

    http://target/urlcount.cgi?%3CIMG%20SRC%3D%22%22%20ONERROR%3D%22alert%28%27x
    ss%27%29%22%3E

    Any user who executed this URL:

    http://target/urlcount.cgi?REPORT

    Would be at risk of an attack targeted at their browser
    in the name of the attacked site.

    "The reason the mainstream is thought
    of as a stream is because it is
    so shallow."
                         - Author Unknown