TUCoPS :: Web :: General :: ttc.txt

TrackTheClick vulnerability

Scripts4webmasters.com TRACKtheCLICK Script Injection Vulnerabilities 
Discovered By Chris Rahm (aka: BrainRawt) (brainrawt@haxworx.com <mailto:brainrawt@haxworx.com>)

A perl coded CGI that tracks your email, ezine, banner, and web site 
links. TRACKtheCLICK outputs log information to a data file that in
return is viewable in an organized HTML format through the use of
another CGI called admin.cgi.

TRACKtheCLICK can be downloaded from the following address.


Vulnerable Version:
Version 1.0

Vendor Contact:
10-5-03 - Emailed webmaster@scripts4webmasters.com <mailto:webmaster@scripts4webmasters.com>

10-10-03 - No Response 

Due to a lack of filtering in click.cgi, scalars $agent and $referer are
vulnerable to script injection. An individual can inject malicious code
to the data file by spoofing their User-Agent: and/or Referer:. When the
data file is opened by admin.cgi, the injected code will be executed by 
that persons browser.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH