When I informed Summit Computer Networks' Scott Slater about the Urlcount.cgi vulnerability, he replied to me that the application was property of PowerBASIC, and that he would forward it on. Hearing nothing from either Slater, or PowerBASIC, Inc. in nearly two weeks, and in response to requests for information from list readers, I have decided to make details of the vulnerability public. Urlcount.cgi is a small CGI executable that ships with the server to serve as a hit counter. When given a query string beginning with "url:", the CGI returns the number of hits the URL has received. When the query string is "REPORT", the counter data sheet is returned. If neither condition is met, the CGI saves the URL to urlcount.ini, or increments its counter there. A flaw in the input sanitation of the CGI's saved data could allow an attacker who could access the CGI to submit a maliciously designed request to the CGI, and then send a targeted visitor to view the counter report. If this is exploited correctly, it allows script to be run in the context of the targeted site by malicious attackers. The CGI does appear to filter script tags, but not events fired by other types of elements. If a malicious webmaster requested this URL: http://target/urlcount.cgi?%3CIMG%20SRC%3D%22%22%20ONERROR%3D%22alert%28%27x ss%27%29%22%3E Any user who executed this URL: http://target/urlcount.cgi?REPORT Would be at risk of an attack targeted at their browser in the name of the attacked site. "The reason the mainstream is thought of as a stream is because it is so shallow." - Author Unknown
