FastCGI Multiple Sample CGI XSS

medium Nessus Plugin ID 10838

Synopsis

The remote web server is prone to cross-site scripting attacks.

Description

Two sample CGI's supplied with FastCGI are vulnerable to cross-site scripting attacks. FastCGI is an 'open extension to CGI that provides high performance without the limitations of server specific APIs', and is included in the default installation of the 'Unbreakable' Oracle9i Application Server. Various other web servers support the FastCGI extensions (Zeus, Pi3Web etc).

Two sample CGI's are installed with FastCGI, (echo.exe and echo2.exe under Windows, echo and echo2 under Unix). Both of these CGI's output a list of environment variables and PATH information for various applications. They also display any parameters that were provided to them.

Solution

Always remove sample applications from production servers.

Plugin Details

Severity: Medium

ID: 10838

File Name: fcgi_echo.nasl

Version: 1.34

Type: remote

Published: 1/25/2002

Updated: 1/19/2021

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Vulnerability Information

Required KB Items: Settings/ParanoidReport

Excluded KB Items: Settings/disable_cgi_scanning

Vulnerability Publication Date: 1/1/2002

Reference Information

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990