vulnerable to Cross-site Scripting

ID VU:246409
Type cert
Reporter CERT
Modified 2004-02-23T00:00:00



A vulnerability in the Common Gateway Interface (CGI) Perl module may allow an attacker to mount a cross-site scripting attack against a vulnerable system.


The Common Gateway Interface, or CGI, is a standard for external gateway programs to interface with information servers such as HTTP servers. The standard Perl distribution and many vendor's repackaged Perl systems include a CGI library known as This module offers a set of functions for creating fill-out forms, among other things.

Some versions of the module contain a vulnerability in handling of the action in the start_form() and start_multipart_form() functions. When the action for the form is not specified, a default based on the user-supplied URL is used. Because the value of this expression is not sanitized by the module before processing and contains user-supplied data or data received from untrustworthy sources, a remote attacker may be able to inject HTML or malicious script. A user of the vulnerable site or web application may then be tricked into interpreting the HTML or executing the script in a situation where they normally might not.


The victim will be presented with information that the vulnerable site did not wish their visitors to be subjected to. This could be used to "sniff" sensitive data from within the web page, including passwords, credit card numbers, and any arbitrary information the user inputs. This exploitation vector is commonly referred to as a cross-site scripting attack.


Apply a patch from the vendor

Versions 2.94 and later of the module contain a fix for this vulnerability. Please see the vendor section of this document for further details.

Systems Affected

Vendor| Status| Date Notified| Date Updated
Conectiva| | -| 30 Jul 2003
Debian| | -| 21 Aug 2003
Lincoln Stein| | -| 07 Oct 2003
MandrakeSoft| | -| 02 Sep 2003
OpenBSD| | -| 02 Sep 2003
OpenPKG| | -| 07 Oct 2003
Red Hat Inc.| | -| 07 Oct 2003
SCO| | -| 13 Nov 2003
Sun Microsystems Inc.| | -| 11 Feb 2004
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A


  • <>
  • <>
  • <>


Thanks to Obscure for reporting this vulnerability.

This document was written by Chad R Dougherty with feedback from Sean Levy.

Other Information

  • CVE IDs: CAN-2003-0615
  • Date Public: 19 Jul 2003
  • Date First Published: 07 Oct 2003
  • Date Last Updated: 23 Feb 2004
  • Severity Metric: 15.00
  • Document Revision: 10