CGI.pm start_form or start_multipart_form function cross-site scripting

cgi-startform-xss (12669)

Medium Risk

Description:

CGI.pm is vulnerable to cross-site scripting, caused by a vulnerability in scripts that use the start_form or start_multipart_form function. A remote attacker could embed malicious script in a specially-crafted URL to a vulnerable script, which would be executed in the victim's Web browser within the security context of the hosting site, once the link is clicked.

Consequences:

Gain Access

Remedy:

Upgrade to the latest version of CGI.pm (2.98 or later), available from the CGI.pm Web page. See References.

For Mandrake Linux:
Upgrade to the latest perl-CGI package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2003:084 : perl-CGI for more information. See References.

Mandrake Linux 8.2 (PPC) and Multi Network Firewall: 3.00-0.1mdk or later
Mandrake Linux 9.0, 9.1 (PPC), and Corporate Server 2.1: 3.00-0.2mdk or later

For Conectiva Linux:
Upgrade to the latest perl package, as listed below. Refer to Conectiva Linux Security Announcement CLSA-2003:713 for more information. See References.

Conectiva Linux 8.0: 5.6.1-19U80_1cl or later
Conectiva Linux 9.0: 5.8.0-28837U90_2cl or later

For OpenPKG:
Upgrade to the latest perl-www package, as listed below. Refer to OpenPKG Security Advisory OpenPKG-SA-2003.036 for more information. See References.

OpenPKG CURRENT: 20030802-20030802 or later
OpenPKG 1.2: 1.2.1-1.2.1 or later
OpenPKG 1.3: 1.3.1-1.3.1 or later

For OpenPKG:
Upgrade to the latest perl package, as listed below. Refer to OpenPKG Security Advisory OpenPKG-SA-2003.039 for more information. See References.

OpenPKG CURRENT: 5.8.0-20030915 or later
OpenPKG 1.2: 5.8.0-1.2.1 or later
OpenPKG 1.3: 5.8.0-1.3.1 or later

For Debian GNU/Linux 3.0 (woody):
Upgrade to the latest perl package (5.6.1-8.3 or later), as listed in DSA-371-1. See References.

For Turbolinux:
Upgrade to the latest perl package (5.6.1-10 or 5.00503-9 or later), as listed in Turbolinux Security Advisory TLSA-2003-49. See References.

For Red Hat Linux:
Upgrade to the latest perl package, as listed below. Refer to RHSA-2003:256-15 for more information. See References.

Red Hat 7.1 for iSeries and pSeries: 5.6.1-36.1.71 or later
Red Hat 7.2: 5.6.1-36.1.72 or later
Red Hat 7.3: 5.6.1-36.1.73 or later
Red Hat 8.0: 5.8.0-88.3 or later
Red Hat 9: 5.8.0-88.3 or later

For Red Hat Linux containing the perl package:
Upgrade to the latest perl package, as listed below. Refer to RHSA-2003:257-12 for more information. See References.

Red Hat Enterprise Linux AS (v. 2.1), ES (v.2.1), WS (v.2.1), and Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor: 5.6.1-36.1.99ent or later

For SGI IRIX:
Apply the patch for this vulnerability, as listed in SGI Security Advisory 20031002-01-U. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

• BugTraq Mailing List, Sun Jul 20 2003 - 17:06:47 CDT : CGI.pm vulnerable to Cross-site Scripting.
• BugTraq Mailing List, Tue Jul 22 2003 - 11:57:19 CDT: Re: CGI.pm vulnerable to Cross-site Scripting.
• CGI.pm Web site: CGI.pm - a Perl5 CGI Library.
• CIAC Information Bulletin N-155: Red Hat Updated Perl packages fix security issues.
• Conectiva Linux Security Announcement CLSA-2003:713: perl.
• SGI Security Advisory 20031002-01-U: SGI Advanced Linux Environment security update #3.
• BID-8231: CGI.pm Start_Form Cross-Site Scripting Vulnerability
• CVE-2003-0615: Cross-site scripting (XSS) vulnerability in start_form() of CGI.pm allows remote attackers to insert web script via a URL that is fed into the form's action parameter.
• DSA-371: perl -- cross-site scripting
• MDKSA-2003:084: Updated perl-CGI packages fix cross-site scripting vulnerabilities
• OpenPKG-SA-2003.036: Perl CGI.pm
• OpenPKG-SA-2003.039: Perl CGI.pm
• RHSA-2003-256: Updated Perl packages fix security issues.
• RHSA-2003-257: perl security update
• SA13638: Sun Solaris Perl Modules Two Vulnerabilities
• SECTRACK ID: 1007234: CGI.pm Library Input Validation Flaw Permits Remote Cross-Site Scripting Attacks

Platforms Affected:

• Conectiva Linux 8.0
• Conectiva Linux 9.0
• Debian Debian Linux 3.0
• L. Stein CGI.pm prior to 2.94
• MandrakeSoft Mandrake Linux 8.2 PPC
• MandrakeSoft Mandrake Linux 8.2
• MandrakeSoft Mandrake Linux 9.0
• MandrakeSoft Mandrake Linux 9.1 PPC
• MandrakeSoft Mandrake Linux 9.1
• MandrakeSoft Mandrake Linux Corporate Server 2.1 X86_64
• MandrakeSoft Mandrake Linux Corporate Server 2.1
• MandrakeSoft Mandrake Multi Network Firewall 8.2
• OpenPKG OpenPKG 1.2
• OpenPKG OpenPKG 1.3
• OpenPKG OpenPKG CURRENT
• RedHat Enterprise Linux 2.1 ES
• RedHat Enterprise Linux 2.1 WS
• RedHat Enterprise Linux 2.1 AS
• RedHat Enterprise Linux 2.1 AW
• RedHat Linux 7
• RedHat Linux 7.1
• RedHat Linux 7.1 for iSeries
• RedHat Linux 7.1 for pSeries
• RedHat Linux 7.2
• RedHat Linux 7.3
• RedHat Linux 8.0
• RedHat Linux 9.0
• RedHat Linux Advanced Workstation 2.1 Itanium
• SGI IRIX 2.2.1
• SGI IRIX 2.3
• Turbolinux Turbolinux 7 Server
• Turbolinux Turbolinux 7 Workstation
• Turbolinux Turbolinux 8 Server
• Turbolinux Turbolinux 8 Workstation
• Turbolinux Turbolinux Advanced Server 6
• Turbolinux Turbolinux Server 6.1
• Turbolinux Turbolinux Server 6.5
• Turbolinux Turbolinux Workstation 6.0

Reported:

Jul 20, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page