Many web-based applications, (ie, threaded discussion forums) contain security vulnerabilities which can improperly allow an attacker to force other, possibly authenticated users, to submit arbitrary method GET requests. Many such CGI applications will accept user input in the form of HTML-embedded references to images and other web content. For example, forum scripts may allow users to include images in discussion threads, by supplying a URL pointing to the appropriate image file. It has been discovered that in many cases, users can supply hostile querystrings concealed within posted image references. When, for example, a forum user clicks on a posted image link, the hostile querystring contained within the <img> tag will be unknowingly submitted by the target user. If the exploited user is already authenticated, for instance as a forum administrator, the attacker-supplied CGI query can be carried out with the target user's apparent permission. This could allow an attacker to...
Many web-based applications, (ie, threaded discussion forums) contain security vulnerabilities which can improperly allow an attacker to force other, possibly authenticated users, to submit arbitrary method GET requests. Many such CGI applications will accept user input in the form of HTML-embedded references to images and other web content. For example, forum scripts may allow users to include images in discussion threads, by supplying a URL pointing to the appropriate image file. It has been discovered that in many cases, users can supply hostile querystrings concealed within posted image references. When, for example, a forum user clicks on a posted image link, the hostile querystring contained within the <img> tag will be unknowingly submitted by the target user. If the exploited user is already authenticated, for instance as a forum administrator, the attacker-supplied CGI query can be carried out with the target user's apparent permission. This could allow an attacker to force any user viewing the image to unwittingly perform functions such as updating the target user's profile, sending attacker-supplied text in email messages or posts to the affected forum. Note: This is a broad conceptual vulnerability. It is likely that many different CGI applications are vulnerable to this type of problem. The packages listed as being not vulnerable or vulnerable are those which have been tested. Forthcoming updates will include applications that are found to be vulnerable or not vulnerable.
