Closed Bug 237780 Opened 21 years ago Closed 21 years ago

Security! A cgi-bin script that "POSTs" to itself can cause errors

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: richard.garris, Unassigned)

Details

(Whiteboard: [sg:nse])

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1 I am a web developer who uses CGI.PM (Standard Perl CGI Module) to develop cgi scripts. The CGI.PM module by default will set the action parameters in the <form> element to the current script name. So for example say the cgi script is at www.foo.com/cgi-bin/bar.pl. If the URL is modified to www.foo.com//cgi-bin/bar.pl the original script will show the form and the form element will have "//cgi-bin/bar.pl", and upon a POST submittal the browser will be redirected to the whois database or return an error. I would have provided a URL however, I am fixing the problem on the server side for now. This problem exists in Firefox Version 0.8 and Mozilla version 1.6 Reproducible: Always Steps to Reproduce: 1. Find a script that uses a CGI which will use the current URL as the action element. 2. Change the URL in your browser adding an extraslash between the dns name and the /cgi-bin 3. Reload the form 4. Submit the form Actual Results: On Mozilla 1.6 it should say cgi-bin not found, On Firefox you will be redirected to the networksolutions homepage (WHOIS Database) Expected Results: The software should have noticed the ignored the extra slash and directed it back to the original script This bug is also present on Mozilla Firebird 0.7 running on Gentoo Linux 2.4.22 The security issue is that a clever hacker could register a DNS name that corresponds to the script for example register cgi-bin/bar.pl and then pickup POSTed URL data off of scripts with errors.
i.e. seems to do the same thing...
Assignee: general → form-submission
Component: Browser-General → HTML: Form Submission
The spec for relative URLs (rfc1808) explicitly allows just the scheme to be inherited from the base, so //newhost/path is a perfectly valid URL and Gecko is doing the technically correct thing here. Probably better to file bugs against CGI.PM to do a little better error checking. Removing security flag.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → INVALID
Whiteboard: [sg:nse]
Component: HTML: Form Submission → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.