Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

TRACKtheCLICK Script Injection Vulnerabilities
From: "BrainRawt" <brainrawt () haxworx com>
Date: Sat, 11 Oct 2003 01:32:25 -0500
 Scripts4webmasters.com TRACKtheCLICK Script Injection Vulnerabilities 
 Discovered By Chris Rahm (aka: BrainRawt) (brainrawt () haxworx com)


 About TRACKtheCLICK:
 --------------------
 A perl coded CGI that tracks your email, ezine, banner, and web site 
 links. TRACKtheCLICK outputs log information to a data file that in
 return is viewable in an organized HTML format through the use of
 another CGI called admin.cgi.

 TRACKtheCLICK can be downloaded from the following address.

 http://www.scripts4webmasters.com/clicktracking/index.shtml

 Vulnerable Version:
 -------------------
 Version 1.0


 Vendor Contact:
 ----------------
 10-5-03  - Emailed webmaster () scripts4webmasters com
 
 10-10-03 - No Response 


 Vulnerability:
 ----------------
 Due to a lack of filtering in click.cgi, scalars $agent and $referer are
 vulnerable to script injection.  An individual can inject malicious code
 to the data file by spoofing their User-Agent: and/or Referer:.  When the
 data file is opened by admin.cgi, the injected code will be executed by 
 that persons browser.

 --------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
  • TRACKtheCLICK Script Injection Vulnerabilities BrainRawt (Oct 11)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]