header-logo
Suggest Exploit
vendor:
pisg
by:
5.5
CVSS
MEDIUM
Input Validation
20
CWE
Product Name: pisg
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

Input Validation Vulnerability in pisg

pisg is prone to an input validation vulnerability. The vulnerability occurs when monitoring an IRC server that allows the use of HTML code as a value for the IRC Nickname. This allows an attacker to inject malicious HTML code into the generated HTML pages by pisg.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize input values for IRC Nicknames and prevent the use of HTML code. Additionally, it is advised to limit the characters and values allowed for IRC Nicknames.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/10195/info

pisg has been reported prone to an input validation vulnerability. The issue will only present itself when pisg is used to monitor an IRC server that does not place limitations on IRC Nick values that can be used.

If an attacker specifies HTML code as a value for the IRC Nickname, this value may be incorporated into the HTML pages that are generated by pisg.

PROOF:
1. silc
2. /connect %Suitable IRC server%
3. /nick <script>alert(document.domain);</script>
4. /log ...
5. /me a couple of times on a channel
6. /quit
3. then generate stats ./pisg
4. surf the index.html