[SCSA-013] Cross Site Scripting vulnerability in testcgi.exe

From: Grégory (gregory.lebras@security-corporation.com)
Date: 03/27/03

Next message: Martin Schulze: "[SECURITY] [DSA 270-1] New Linux kernel packages (mips + mipsel) fix local root exploit"

Previous message: Roman Medina: "Re: WebDAV exploit: using wide character decoder scheme"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 27 Mar 2003 14:38:05 -0000
From: "Grégory" Le Bras <gregory.lebras@security-corporation.com>
To: bugtraq@securityfocus.com

('binary' encoding is not supported, stored as-is)

________________________________________________________________________

Security Corporation Security Advisory [SCSA-013]
________________________________________________________________________

PROGRAM: Ceilidh
HOMEPAGE: http://www.lilikoi.com
VULNERABLE VERSIONS: 2.70 and prior
________________________________________________________________________

DESCRIPTION
________________________________________________________________________

"Ceilidh is a Web-based threaded discussion engine that features
automatic text to HTML conversion, file attachment, e-mail
notification, automatic message expiration, multiple levels of
security and much more."
(direct quote from http://www.lilikoi.com)

DETAILS & EXPLOITS
________________________________________________________________________

¤ Cross Site Scripting :

A exploitable bug was found on Ceilidh which cause script
execution on client's computer by following a crafted url.

This kind of attack known as "Cross-Site Scripting Vulnerability" is
present in testcgi.exe file, an attacker can input specially crafted
links and/or other malicious scripts.

- Exploits :

http://[target]/cgi-bin/testcgi.exe?[hostile_code]

The hostile code could be :

[script]alert("Cookie="+document.cookie)[/script]

(open a window with the cookie of the visitor.)

(replace [] by <>)

SOLUTIONS
________________________________________________________________________

No solution for the moment.

VENDOR STATUS
________________________________________________________________________

The vendor has reportedly been notified.

LINKS
________________________________________________________________________

- http://www.security-corp.org/index.php?ink=4-15-1

- Version Française :
http://www.security-corporation.com/index.php?id=advisories&a=013-FR

------------------------------------------------------------------------
Grégory Le Bras aka GaLiaRePt | http://www.Security-Corporation.com
------------------------------------------------------------------------

Next message: Martin Schulze: "[SECURITY] [DSA 270-1] New Linux kernel packages (mips + mipsel) fix local root exploit"

Previous message: Roman Medina: "Re: WebDAV exploit: using wide character decoder scheme"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[Full-Disclosure] [SCSA-013] Cross Site Scripting vulnerability in testcgi.exe
... Security Corporation Security Advisory ... "Ceilidh is a Web-based threaded discussion engine that features ... This kind of attack known as "Cross-Site Scripting Vulnerability" is ...
(Full-Disclosure)
[NT] Cookie Data in IE Can Be Exposed or Altered Through Script Injection
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Many web sites use cookies as a way to store information on a user's local ... customers can protect their systems by disabling active scripting. ... are not affected by the HTML mail exploit of this vulnerability because ...
(Securiteam)
[UNIX] Path Disclosure and Cross Site Scripting Vulnerability in MyABraCaDaWeb
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A security vulnerability found in this product allows full path disclosure ... and Cross Site Scripting attacks. ... A vulnerability in MyABraCaDaWeb allow attackers to determine the physical ...
(Securiteam)
[Full-disclosure] Drupal Link to Us Module Contains XSS Vulnerability
... Security risk: low ... Vulnerability: Cross site scripting ... Drupal is a robust content management system ...
(Full-Disclosure)
Re: Html injection/hacking, but what does it do? Any advice?
... I'm not very good on security, but from what I read, if you write scripts ... cross-site scripting, which is more serious than a bit of spam. ... someone enters a comment with the characters, ... I can't say for sure if you do have the vulnerability. ...
(alt.html)