Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Matthew Murphy (mattmurphy_at_kc.rr.com)
Date: Thu Jul 11 2002 - 10:58:23 CDT
Recently, I reported on a vulnerability in the Urlcount.cgi script of
Lil'HTTP Server (Summit Computer Networks). This time, another
CGI (pbcgi.cgi) has been found vulnerable to cross-site scripting.
Some versions of this CGI will take the form input you POST/GET
to it, and break it into name/e-mail. It does not properly sanitize
the input used in this process, making it vulnerable to cross-site
Although the entire form data string is not decoded (and thus is
not vulnerable to XSS in most browsers), the "Name" and "E-mail"
strings that the CGI creates ARE decoded, resulting in a security
Given the lack of a response from PowerBASIC with my previous
issue, I do not expect the vendor to release a fix anytime soon.
Vulnerable administrators should remove the pbcgi.cgi application
from their CGI-BIN folder.
"The reason the mainstream is thought
of as a stream is because it is
- Author Unknown