TRACKtheCLICK Script Injection Vulnerabilities

From: BrainRawt (brainrawt_at_haxworx.com)
Date: 10/11/03

  • Next message: Peter : "Gallery 1.4 including file vulnerability"
    To: <bugtraq@securityfocus.com>
    Date: Sat, 11 Oct 2003 01:32:25 -0500
    
    

     Scripts4webmasters.com TRACKtheCLICK Script Injection Vulnerabilities
     Discovered By Chris Rahm (aka: BrainRawt) (brainrawt@haxworx.com)

     About TRACKtheCLICK:
     --------------------
     A perl coded CGI that tracks your email, ezine, banner, and web site
     links. TRACKtheCLICK outputs log information to a data file that in
     return is viewable in an organized HTML format through the use of
     another CGI called admin.cgi.

     TRACKtheCLICK can be downloaded from the following address.

     http://www.scripts4webmasters.com/clicktracking/index.shtml

     Vulnerable Version:
     -------------------
     Version 1.0

     Vendor Contact:
     ----------------
     10-5-03 - Emailed webmaster@scripts4webmasters.com
     
     10-10-03 - No Response

     Vulnerability:
     ----------------
     Due to a lack of filtering in click.cgi, scalars $agent and $referer are
     vulnerable to script injection. An individual can inject malicious code
     to the data file by spoofing their User-Agent: and/or Referer:. When the
     data file is opened by admin.cgi, the injected code will be executed by
     that persons browser.

     --------------------------------------------------------------------------


  • Next message: Peter : "Gallery 1.4 including file vulnerability"

    Relevant Pages

    • [UNIX] ftls.org Guestbook Script Injection Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... found to contain multiple script injection vulnerabilities (Cross site ... When filling in ones name use: ...
      (Securiteam)
    • BroadVision command Injection
      ... script injection. ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... automatically alerts you to the latest security vulnerabilities please see: ...
      (Pen-Test)
    • ftls.org Guestbook 1.1 Script Injection
      ... ftls.org Guestbook 1.1 Script Injection Vulnerabilities ... When filling in ones name use: ...
      (Bugtraq)