| VID |
21804 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Web server has a CGI file vulnerable to a HTTP injection vulnerability in the 'User-Agent' HTTP header. The relevant CGI file is vulnerable to a cross-site scripting attack, caused by improper validation of user-supplied input passed to the 'User-Agent' HTTP header. This vulnerability could permit a remote attacker to create a malicious URI link that includes hostile HTML and script code. If this link were to be followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected web site and may allow for theft of cookie-based authentication credentials or other attacks.
* References:
http://www.cgisecurity.com/articles/xss-faq.shtml
http://www.securitydocs.com/library/3261
http://www.securitydocs.com/library/3472
* Platforms Affected:
Any HTTP server Any version
Any operating system Any version |
| Recommendation |
Modify the affected CGI script to perform proper validation of user-supplied input passed to the 'User-Agent' HTTP Header. For details, please see the Web site at http://stuff.mit.edu/afs/athena/astaff/reference/cert/Tips/cgi_metacharacters |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
