SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Lil' HTTP Server Vendors:   Summit Computer Networks
Lil' HTTP Server 'pbcgi.cgi' Script Input Validation Flaw Allows Remote Users to Conduct Cross-site Scripting Attacks Against Web Server Users
SecurityTracker Alert ID:  1004751
SecurityTracker URL:  http://securitytracker.com/id/1004751
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 12 2002
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 2.2
Description:   An input validation vulnerability was reported in PowerBASIC's 'pbcgi.cgi' script, which is included in the Lil' HTTP Server. A remote user can conduct cross-site scripting attacks.

It is reported that the "Name" and "E-mail" strings provided to the CGI script are not properly filtered.

A remote user can create a URL and provide it to a target user so that, when the URL is loaded by the target user, arbitrary script code will be executed by the target user's browser. The code will appear to originate from the web site running Lil' HTTP Server and will run in the security context of that site. As a result, the code may be able to access the target user's cookies associated with that site (if any), including authentication cookies, access data recently submitted via web form to that site, or take actions on that site acting as the target user.

A demonstration exploit URL is provided:

http://localhost:81/pbcgi.cgi?name=Matthew%20Murphy&email=%3CSCRIPT%3Ealert%
28%27xss%27%29%3B%3C%2FSCRIPT%3E

[Editor's note: In researching this report, we discovered a similar report dating from April 2002, reportedly posted by p0p t4rtz and Sitedude as a NetCrash security report, available at: http://www.egoclan.barrysworld.net/netcrash/releases/netcrash.lilhttp.cssviapbcgi.htm]

Impact:   A remote user can create arbitrary script code that, when run on a target user's computer, can access the target user's cookies (if any) associated with a site running the pbcgi.cgi script, access data recently submitted via web form to that site, or take actions on that site acting as the target user.
Solution:   No solution was available at the time of this entry.

Another user reported that, as a workaround, you can remove this CGI script from the web server.

Vendor URL:  www.summitcn.com/lilhttp/lildocs.html (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Lil'HTTP Pbcgi.cgi XSS Vulnerability


Recently, I reported on a vulnerability in the Urlcount.cgi script of
Lil'HTTP Server (Summit Computer Networks).  This time, another
CGI (pbcgi.cgi) has been found vulnerable to cross-site scripting.

Some versions of this CGI will take the form input you POST/GET
to it, and break it into name/e-mail.  It does not properly sanitize
the input used in this process, making it vulnerable to cross-site
scripting attacks.

Although the entire form data string is not decoded (and thus is
not vulnerable to XSS in most browsers), the "Name" and "E-mail"
strings that the CGI creates ARE decoded, resulting in a security
issue:

http://localhost:81/pbcgi.cgi?name=Matthew%20Murphy&email=%3CSCRIPT%3Ealert%
28%27xss%27%29%3B%3C%2FSCRIPT%3E

Given the lack of a response from PowerBASIC with my previous
issue, I do not expect the vendor to release a fix anytime soon.

Vulnerable administrators should remove the pbcgi.cgi application
from their CGI-BIN folder.

"The reason the mainstream is thought
of as a stream is because it is
so shallow."
                     - Author Unknown


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC