| VID |
21427 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The FAQ-O-Matic has a 'fom.cgi' Cross-site Scripting Vulnerability.
FAQ-O-Matic is an open-source CGI-based program used to maintain a FAQ (Frequently Asked Questions) page on a Web site. FAQ-O-Matic 2.711, 2.712 are vulnerable to cross-site scripting vulnerability, caused by a failure of the application to properly validate user-supplied input in the 'fom.cgi' script. A remote attacker could create a specially crafted URL link to the 'fom.cgi' script containing malicious script code in 'cmd=' parameter, and then could persuade a target user to click it. Once the URL is clicked, the embedded codes would be executed in the victim's Web browser. A remote attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
* References:
http://securitytracker.com/alerts/2002/Feb/1003476.html
http://www.osvdb.org/displayvuln.php?osvdb_id=8661
* Platforms Affected:
Jon Howell, FAQ-O-Matic 2.711, 2.712
Debian Linux 2.2 |
| Recommendation |
Apply the fix for this vulnerability, available from the SourceForge.net Web site at http://sourceforge.net/projects/faqomatic
For Debian GNU/Linux 2.2 (potato):
Upgrade to the latest version of faqomatic (2.603-1.2 or later), as listed in Debian Security Advisory DSA-109-1 at http://www.debian.org/security/2002/dsa-109
For other distributions:
Contact your vendor for upgrade or patch information. |
| Related URL |
CVE-2002-0230 (CVE) |
| Related URL |
4565 (SecurityFocus) |
| Related URL |
8066 (ISS) |
|
