FastCGI echo2.exe XSS

2002-01-01T00:00:00
ID OSVDB:3954
Type osvdb
Reporter OSVDB
Modified 2002-01-01T00:00:00

Description

Vulnerability Description

FastCGI contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate any variable upon submission to the echo2.exe script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: remove the echo2.exe program from the server.

Short Description

FastCGI contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate any variable upon submission to the echo2.exe script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

http://[victim]/fcgi-bin/echo2.exe?blah=<SCRIPT>alert(document.domain)</SCRIPT>

References:

Vendor URL: http://www.fastcgi.com/ Related OSVDB ID: 700 Nessus Plugin ID:10838