[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Insecure python cgi documentation and tutorials are vulnerable to XSS.

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Insecure python cgi documentation and tutorials are vulnerable to XSS.
From: Georgi Guninski <gguninski@xxxxxxxxx>
Date: Tue, 21 Mar 2023 17:28:44 +0200

Is there low hanging fruit for the following observation?

The documentation of the python cgi module is vulnerable to XSS
(cross site scripting)

https://docs.python.org/3/library/cgi.html

```
form = cgi.FieldStorage()
print("<p>name:", form["name"].value)
print("<p>addr:", form["addr"].value)
```

First result on google for "tutorial python cgi"
is https://www.tutorialspoint.com/python/python_cgi_programming.htm

And it is almost the same as the python doc.

I verified that setting ```name=<script>alert(document.domain)</script>```
will trigger dialog, demonstrating javascript is executed
on the cgi host.

I would expect that devs who read the docs or tutorials will write
vulnerable cgis.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Prev by Date: Re: [FD] Microsoft PlayReady security research
Next by Date: [FD] Invitation to the World Cryptologic Competition 2023
Previous by thread: Re: [FD] Microsoft PlayReady security research
Next by thread: [FD] Invitation to the World Cryptologic Competition 2023
Index(es):
- Date
- Thread