RXGoogle.CGI Cross Site Scripting Vulnerability

BID:9575

Info

RXGoogle.CGI Cross Site Scripting Vulnerability

Bugtraq ID: 9575
Class: Input Validation Error
CVE: CVE-2004-0251
Remote: Yes
Local: No
Published: Feb 04 2004 12:00AM
Updated: Jul 12 2007 05:17PM
Credit: Discovery of this issue has been credited to Shaun Colley <[email protected]>.
Vulnerable: rxgoogle.cgi rxgoogle.cgi 1.0
All Enthusiast Inc ReviewPost PHP Pro 2.5.1
All Enthusiast Inc ReviewPost PHP Pro 2.5
All Enthusiast Inc ReviewPost PHP Pro 1.0.2
Not Vulnerable:

Discussion

RXGoogle.CGI Cross Site Scripting Vulnerability

The rxgoogle.cgi search script is prone to a cross-site scripting vulnerability because the software fails to sanitize user input and allows various metacharacters that may facilitate cross-site scripting attacks.

An attacker may leverage this issue to execute arbitrary code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Exploit / POC

RXGoogle.CGI Cross Site Scripting Vulnerability

No exploit is required to leverage this issue. The following proof of concept has been provided:

http://www.example.com/cgi-bin/rxgoogle.cgi?query=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E

Solution / Fix

RXGoogle.CGI Cross Site Scripting Vulnerability

Solution:
The following patch has been submitted by a third party and is untested:

----START
--- rxgoogle.cgi 2004-02-04 14:20:38.000000000 -0500
+++ test 2004-02-04 14:27:29.000000000 -0500
@@ -197,7 +197,13 @@
my $req = new HTTP::Request GET => "$url";
my $res = $ua->request($req);
if ($res->is_success) { $page_returned =
$res->content; } return $page_returned;}
-sub parse{my (@pairs, %in);my (@pairs, %in);my
($buffer, $pair, $name, $value);if
($ENV{'REQUEST_METHOD'} eq 'GET') {@pairs = split(/&/,
$ENV{'QUERY_STRING'});}elsif($ENV{'REQUEST_METHOD'} eq
'POST') {read(STDIN, $buffer,
$ENV{'CONTENT_LENGTH'});@pairs = split(/&/,
$buffer);}PAIR: foreach $pair (@pairs) {($name,
$value) = split(/=/, $pair);$name =~ tr/+/ /;$name =~
s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
hex($1))/eg;$value =~ tr/+/ /;$value =~
s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
hex($1))/eg;($value eq "---") and next PAIR;exists
$in{$name} ? ($in{$name} .= "~~$value") : ($in{$name}
= $value);}return %in;}
+
+# This parsing routine poorly sanitized user-input,
thus allowing injection
+# of metametachars, such as '<' and '>'. I have
patched the problem now, by
+# filtering input quite well now.
+#
+# -Shaun2k2
+sub parse{$OK_CHARS='-a-zA-Z0-9_.@'; my (@pairs,
%in);my (@pairs, %in);my ($buffer, $pair, $name,
$value);if ($ENV{'REQUEST_METHOD'} eq 'GET') {@pairs =
split(/&/,
$ENV{'QUERY_STRING'});}elsif($ENV{'REQUEST_METHOD'} eq
'POST') {read(STDIN, $buffer,
$ENV{'CONTENT_LENGTH'});@pairs = split(/&/,
$buffer);}PAIR: foreach $pair (@pairs) {($name,
$value) = split(/=/, $pair);$name =~ tr/+/ /;$name =~
s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
hex($1))/eg;$name =~ s/[^$OK_CHARS]/_/go;$value =~
tr/+/ /;$value =~
s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
hex($1))/eg;$value =~ s/[^$OK_CHARS]/_/go;($value eq
"---") and next PAIR;exists $in{$name} ? ($in{$name}
.= "~~$value") : ($in{$name} = $value);}return %in;}
sub html_navbar{my
($maxhits,$current,$numhits,$url)=0;my ($html, $nh,
$prev_hit, $next_hit, $left, $right, $first, $last,
$lower, $upper)="";$maxhits =shift; $numhits =shift;
$current =shift; $url =shift;
$nh=int($current/$maxhits)+1; $prev_hit=$nh-1;
$next_hit=$nh+1; if (($current + $maxhits) >=
$numhits) {$next_hit=0;}if ($numhits > $maxhits) {
$left = $nh; $right = int($numhits/$maxhits) -
$nh; ($left > 7) ? ($lower = $left -
7) : ($lower = 1); ($right > 7) ? ($upper = $nh
+ 7) : ($upper = int($numhits/$maxhits) + 1);
(7 - $nh >= 0) and ($upper = $upper + (8 - $nh));
($nh > ($numhits/$maxhits - 7)) and ($lower = $lower
- ($nh - int($numhits/$maxhits - 7) - 1));
$html = ""; ($nh > 1) and ($html .= qq~<a
href="$url&start=$prev_hit">[previous]</a> ~);
for ($i = 1; $i <= int($numhits/$maxhits) + 1; $i++) {
if ($i < $lower) { $html .= " ... "; $i =
($lower-1); next; } if ($i >
$upper) { $html .= " ... "; last; } ($i ==
$nh) ? ($html .= qq~$i ~) :
($html .= qq~<a href="$url&start=$i">$i</a> ~);
(($i * $maxhits) >= $numhits) and last;
}if ($next_hit) { $html .= qq~<a
href="$url&start=$next_hit">[next]</a> ~ unless ($nh
== $i); } }return $html;}

1;
@@ -224,4 +230,4 @@
print WRITEIT "$site\n";
close(WRITEIT);
}
-
\ No newline at end of file
+
---END


Apply the patch as below:

$ patch rxgoogle.cgi rxgoogle-xss.patch

References

RXGoogle.CGI Cross Site Scripting Vulnerability

References:
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report