TRACKtheCLICK Script Injection Vulnerabilities

From: BrainRawt (
Date: 10/11/03

  • Next message: Peter : "Gallery 1.4 including file vulnerability"
    To: <>
    Date: Sat, 11 Oct 2003 01:32:25 -0500
  TRACKtheCLICK Script Injection Vulnerabilities
     Discovered By Chris Rahm (aka: BrainRawt) (

     About TRACKtheCLICK:
     A perl coded CGI that tracks your email, ezine, banner, and web site
     links. TRACKtheCLICK outputs log information to a data file that in
     return is viewable in an organized HTML format through the use of
     another CGI called admin.cgi.

     TRACKtheCLICK can be downloaded from the following address.

     Vulnerable Version:
     Version 1.0

     Vendor Contact:
     10-5-03 - Emailed
     10-10-03 - No Response

     Due to a lack of filtering in click.cgi, scalars $agent and $referer are
     vulnerable to script injection. An individual can inject malicious code
     to the data file by spoofing their User-Agent: and/or Referer:. When the
     data file is opened by admin.cgi, the injected code will be executed by
     that persons browser.


  • Next message: Peter : "Gallery 1.4 including file vulnerability"

    Relevant Pages

    • [UNIX] Guestbook Script Injection Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: ... found to contain multiple script injection vulnerabilities (Cross site ... When filling in ones name use: ...
    • BroadVision command Injection
      ... script injection. ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... automatically alerts you to the latest security vulnerabilities please see: ...
    • Guestbook 1.1 Script Injection
      ... Guestbook 1.1 Script Injection Vulnerabilities ... When filling in ones name use: ...