header-logo
Suggest Exploit
vendor:
Lil' HTTP Server
by:
SecurityFocus
8.8
CVSS
HIGH
HTML Injection
79
CWE
Product Name: Lil' HTTP Server
Affected Version From: Lil' HTTP Server 1.0
Affected Version To: Lil' HTTP Server 1.0
Patch Exists: No
Related CWE: CVE-2002-1490
CPE: o:summit_computer_networks:lil_http_server
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2002

Lil’ HTTP Server HTML Injection Vulnerability

Lil' HTTP Server is vulnerable to HTML injection attacks due to insufficient sanitization of user input in the 'REPORT' function found in the 'urlcount.cgi' script. An attacker can inject arbitrary HTML into the reports page, which can be used to execute malicious JavaScript code when visited by a web user.

Mitigation:

Users should filter user input to prevent HTML injection attacks.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/5115/info

Lil' HTTP server is a web server application for Windows environments and is maintained by Summit Computer Networks.

Reportedly, Lil' HTTP Server is vulnerable to HTML injection attacks.

The vulnerability is present in the 'REPORT' function found in the 'urlcount.cgi' script. While the CGI does filter script tags, other HTML elements are not sufficiently sanitized, allowing for arbitrary HTML to be injected into the reports page.

http://target/urlcount.cgi?%3CIMG%20SRC%3D%22%22%20ONERROR%3D%22alert%28%27xss%27%29%22%3E

This will affect web users who visit the reports page:

http://target/urlcount.cgi?REPORT

Navigation

Suggest Exploit

Services By CQR