Vulnerability found in CGI Script

A cross site scripting vulnerabilty was found in the ipcalc CGI wrapper script. (Note: This is not the ipcalc script itself, it is only used when ipcalc is run via a web interface).

This script was

included in the tar archives of ipcalc 0.39 and 0.40.

downloadable via http://jodies.de/ipcalc_cgi until 07/27/2006

Description of the vulnerability

The script used the environment variable REQUEST_URI to construct the action url of the html form. REQUEST_URI may contain data from a maliciously constructed link to the site. The new version uses REQUEST_URL.

If in doubt, check if your script version works with REQUEST_URI. You should upgrade then.

How to upgrade

Replace you cgi script with http://jodies.de/ipcalc_cgi

Or get the newest ipcalc package from the archives: http://jodies.de/ipcalc-archive/