Published:2007/01/25 Last Updated:2008/05/21
JVN#05123538
CGI RESCUE WebFORM vulnerable to cross-site scripting
Overview
WebFORM, released from CGI RESCUE, is a CGI script written in perl that allows a user to send email messages via a HTML form. WebFORM contains a cross-site scripting vulnerability.
Products Affected
- WebFORM 4.3 and earlier
We have confirmed that the fixed version of the Web Mailer is also released from the vendor's website.
Description
Impact
An abitrary script may be executed on the user's web browser.
Solution
Vendor Status
| Vendor | Link |
| CGI RESCUE |
http://www.rescue.ne.jp/ |
|
http://www.rescue.ne.jp/cgi/webform/ |
|
|
http://www.rescue.ne.jp/cgi/mailer/ |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2007.01.25
| Measures | Conditions | Severity |
|---|---|---|
| Access Required | Routed - can be attacked over the Internet using packets |
|
| Authentication | None - anonymous or no authentication (IP addresses do not count) |
|
| User Interaction Required | Complex - the user must be convinced to take a difficult or suspicious action. If the honest user must have elevated privileges, they are likely to be more suspicious |
|
| Exploit Complexity | Low - little to no expertise and/or luck required to exploit (cross-site scripting) |
|
Credit
Tomoki Sanaki of International Network Security, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE | |
| JVN iPedia |
JVNDB-2007-000086 |