SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#246409

CGI.pm vulnerable to Cross-site Scripting

Overview

A vulnerability in the Common Gateway Interface (CGI) Perl module may allow an attacker to mount a cross-site scripting attack against a vulnerable system.

I. Description

The Common Gateway Interface, or CGI, is a standard for external gateway programs to interface with information servers such as HTTP servers. The standard Perl distribution and many vendor's repackaged Perl systems include a CGI library known as CGI.pm. This module offers a set of functions for creating fill-out forms, among other things.

Some versions of the CGI.pm module contain a vulnerability in handling of the action in the start_form() and start_multipart_form() functions. When the action for the form is not specified, a default based on the user-supplied URL is used. Because the value of this expression is not sanitized by the module before processing and contains user-supplied data or data received from untrustworthy sources, a remote attacker may be able to inject HTML or malicious script. A user of the vulnerable site or web application may then be tricked into interpreting the HTML or executing the script in a situation where they normally might not.

II. Impact

The victim will be presented with information that the vulnerable site did not wish their visitors to be subjected to. This could be used to "sniff" sensitive data from within the web page, including passwords, credit card numbers, and any arbitrary information the user inputs. This exploitation vector is commonly referred to as a cross-site scripting attack.

III. Solution

Apply a patch from the vendor


Versions 2.94 and later of the CGI.pm module contain a fix for this vulnerability. Please see the vendor section of this document for further details.

Systems Affected

VendorStatusDate NotifiedDate Updated
ConectivaVulnerable30-Jul-2003
DebianVulnerable21-Aug-2003
Lincoln SteinVulnerable7-Oct-2003
MandrakeSoftVulnerable2-Sep-2003
OpenBSDVulnerable2-Sep-2003
OpenPKGVulnerable7-Oct-2003
Red Hat Inc.Vulnerable7-Oct-2003
SCOVulnerable13-Nov-2003
Sun Microsystems Inc.Vulnerable11-Feb-2004

References


http://stein.cshl.org/WWW/software/CGI/
http://eyeonsecurity.org/advisories/
http://xforce.iss.net/xforce/xfdb/12669

Credit

Thanks to Obscure for reporting this vulnerability.

This document was written by Chad R Dougherty with feedback from Sean Levy.

Other Information

Date Public:2003-07-19
Date First Published:2003-10-07
Date Last Updated:2004-02-23
CERT Advisory: 
CVE-ID(s):CAN-2003-0615
NVD-ID(s):CAN-2003-0615
US-CERT Technical Alerts: 
Metric:15.00
Document Revision:10

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader