TUCoPS :: Web :: General :: ttc.txt

TrackTheClick vulnerability

Scripts4webmasters.com TRACKtheCLICK Script Injection Vulnerabilities 
Discovered By Chris Rahm (aka: BrainRawt) (brainrawt@haxworx.com <mailto:brainrawt@haxworx.com>)


About TRACKtheCLICK:
--------------------
A perl coded CGI that tracks your email, ezine, banner, and web site 
links. TRACKtheCLICK outputs log information to a data file that in
return is viewable in an organized HTML format through the use of
another CGI called admin.cgi.

TRACKtheCLICK can be downloaded from the following address.

<http://www.scripts4webmasters.com/clicktracking/index.shtml>

Vulnerable Version:
-------------------
Version 1.0


Vendor Contact:
----------------
10-5-03 - Emailed webmaster@scripts4webmasters.com <mailto:webmaster@scripts4webmasters.com>

10-10-03 - No Response 


Vulnerability:
----------------
Due to a lack of filtering in click.cgi, scalars $agent and $referer are
vulnerable to script injection. An individual can inject malicious code
to the data file by spoofing their User-Agent: and/or Referer:. When the
data file is opened by admin.cgi, the injected code will be executed by 
that persons browser.

--------------------------------------------------------------------------

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH