[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Insecure python cgi documentation and tutorials are vulnerable to XSS.
From: Georgi Guninski <gguninski () gmail ! com>
Date: 2023-03-21 15:28:44
Message-ID: CAGUWgD-VnyNYUyt3+2QvgSa8V0eAde+637CkA4nBg45t9k1oyw () mail ! gmail ! com
[Download RAW message or body]
Is there low hanging fruit for the following observation?
The documentation of the python cgi module is vulnerable to XSS
(cross site scripting)
https://docs.python.org/3/library/cgi.html
```
form = cgi.FieldStorage()
print("<p>name:", form["name"].value)
print("<p>addr:", form["addr"].value)
```
First result on google for "tutorial python cgi"
is https://www.tutorialspoint.com/python/python_cgi_programming.htm
And it is almost the same as the python doc.
I verified that setting ```name=<script>alert(document.domain)</script>```
will trigger dialog, demonstrating javascript is executed
on the cgi host.
I would expect that devs who read the docs or tutorials will write
vulnerable cgis.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic