Vulnerability found in CGI Script

A cross site scripting vulnerabilty was found in the ipcalc CGI wrapper script. (Note: This is not the ipcalc script itself, it is only used when ipcalc is run via a web interface).

This script was

  • included in the tar archives of ipcalc 0.39 and 0.40.
  • downloadable via http://jodies.de/ipcalc_cgi until 07/27/2006
  • Description of the vulnerability

    The script used the environment variable REQUEST_URI to construct the action url of the html form. REQUEST_URI may contain data from a maliciously constructed link to the site. The new version uses REQUEST_URL.

    If in doubt, check if your script version works with REQUEST_URI. You should upgrade then.

    How to upgrade

  • Replace you cgi script with http://jodies.de/ipcalc_cgi
  • Or get the newest ipcalc package from the archives: http://jodies.de/ipcalc-archive/