CGI Rescue WebForm Multiple Input Validation Vulnerabilities

Bugtraq ID:	22243
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Jan 25 2007 12:00AM
Updated:	Jan 26 2007 07:39PM
Credit:	Sanaki Satosh is credited with discovery of these vulnerabilities.
Vulnerable:	CGI-Rescue CGI Rescue WebFORM 4.3
Not Vulnerable:	CGI-Rescue CGI-Rescue WebFORM 4.4

CGI Rescue WebForm Multiple Input Validation Vulnerabilities

CGI Rescue WebFORM is prone to multiple input-validation vulnerabilities, including an HTTP-response-splitting issue and a cross-site scripting issue, because the application fails to sufficiently sanitize user-supplied input.

An attacker can exploit these issues to perform cross-site request forgery, cross-site scripting, HTTP-request smuggling, and other attacks.

CGI Rescue WebFORM 4.3 and prior versions are vulnerable to these issues.

CGI Rescue WebForm Multiple Input Validation Vulnerabilities

An attacker can exploit these issues by enticing an unsuspecting victim to follow a malicious URI.

CGI Rescue WebForm Multiple Input Validation Vulnerabilities

Solution:
The vendor released an update to address these issues. Please see the references for more information.

CGI Rescue WebForm Multiple Input Validation Vulnerabilities

References:

• JVN#05088443: CGI RESCUE WebFORM HTTP Header Injection (JVN)
  
• JVN#05123538: CGI RESCUE WebFORM (JVN )
  
• Vendor Homepage (CGI-Rescue )