Vulnerabilities > CVE-2002-0230 - Cross-Site Scripting vulnerability in Faq-O-Matic 2.712
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
Cross-site scripting vulnerability in fom.cgi of Faq-O-Matic 2.712 allows remote attackers to execute arbitrary Javascript on other clients via the cmd parameter, which causes the script to be inserted into an error message.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Exploit-Db
| description | Faq-O-Matic 2.6/2.7 Cross-Site Scripting Vulnerability. CVE-2002-0230. Remote exploit for cgi platform |
| id | EDB-ID:21263 |
| last seen | 2016-02-02 |
| modified | 2002-02-04 |
| published | 2002-02-04 |
| reporter | superpetz |
| source | https://www.exploit-db.com/download/21263/ |
| title | Faq-O-Matic 2.6/2.7 - Cross-Site Scripting Vulnerability |
Nessus
NASL family CGI abuses : XSS NASL id FAQ_O_MATIC_XSS.NASL description The remote host runs Faq-O-Matic, a CGI-based system that automates the process of maintaining a FAQ. The remote version of this software is vulnerable to cross-site scripting attacks in the script last seen 2020-06-01 modified 2020-06-02 plugin id 15540 published 2004-10-21 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15540 title Faq-O-Matic fom.cgi Multiple Parameter XSS code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(15540); script_version("1.24"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12"); script_cve_id("CVE-2002-0230", "CVE-2002-2011"); script_bugtraq_id(4565); script_name(english:"Faq-O-Matic fom.cgi Multiple Parameter XSS"); script_summary(english:"Checks Faq-O-Matic XSS"); script_set_attribute(attribute:"synopsis", value:"A web CGI is vulnerable to cross-site scripting attacks."); script_set_attribute(attribute:"description", value: "The remote host runs Faq-O-Matic, a CGI-based system that automates the process of maintaining a FAQ. The remote version of this software is vulnerable to cross-site scripting attacks in the script 'fom.cgi'. With a specially crafted URL, an attacker can cause arbitrary code execution resulting in a loss of integrity."); script_set_attribute(attribute:"solution", value:"Upgrade to the latest version of this software"); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990); script_set_attribute(attribute:"vuln_publication_date", value:"2002/02/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/10/21"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2020 Tenable Network Security, Inc."); script_family(english:"CGI abuses : XSS"); script_dependencie("cross_site_scripting.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_keys("Settings/ParanoidReport"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("http_func.inc"); include("http_keepalive.inc"); # nb: avoid false-posiives caused by not checking for the app itself. if (report_paranoia < 2) audit(AUDIT_PARANOID); port = get_http_port(default:80, embedded:TRUE); function check(req) { local_var buf, r; buf = http_get(item:string(req,"/fom/fom.cgi?cmd=<script>foo</script>&file=1&keywords=nessus"), port:port); r = http_keepalive_send_recv(port:port, data:buf, bodyonly:1); if( r == NULL )exit(0); if(egrep(pattern:"<script>foo</script>", string:r)) { security_warning(port); set_kb_item(name: 'www/'+port+'/XSS', value: TRUE); exit(0); } } if ( get_kb_item("www/" + port + "/generic_xss") ) exit(0); foreach dir (cgi_dirs()) check(req:dir);NASL family CGI abuses NASL id DANGEROUS_CGIS.NASL description It is possible that the remote web server contains one or more dangerous CGI scripts. Note that this plugin does not actually test for the underlying flaws but instead only searches for scripts with the same name as those with known vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 11748 published 2003-06-17 reporter This script is Copyright (C) 2003-2018 John Lampe source https://www.tenable.com/plugins/nessus/11748 title Multiple Dangerous CGI Script Detection code # # This script was written by John [email protected] # Some entries were added by David Maciejak <david dot maciejak at kyxar dot fr> # # See the Nessus Scripts License for details # Changes by Tenable: # - Revised plugin title, moved CVE from header comment to CVE (4/9/2009) include("compat.inc"); if(description) { script_id(11748); script_version ("1.37"); script_cve_id( "CVE-1999-0934", "CVE-1999-0935", "CVE-1999-0937", "CVE-1999-1072", "CVE-1999-1374", "CVE-1999-1377", "CVE-2000-0288", "CVE-2000-0423", "CVE-2000-0526", "CVE-2000-0923", "CVE-2000-0952", "CVE-2000-0977", "CVE-2000-1023", "CVE-2000-1131", "CVE-2000-1132", "CVE-2001-0022", "CVE-2001-0023", "CVE-2001-0076", "CVE-2001-0099", "CVE-2001-0100", "CVE-2001-0123", "CVE-2001-0133", "CVE-2001-0135", "CVE-2001-0180", "CVE-2001-0420", "CVE-2001-0562", "CVE-2001-1100", "CVE-2001-1196", "CVE-2001-1205", "CVE-2001-1212", "CVE-2001-1283", "CVE-2001-1343", "CVE-2002-0203", "CVE-2002-0230", "CVE-2002-0263", "CVE-2002-0346", "CVE-2002-0611", "CVE-2002-0710", "CVE-2002-0749", "CVE-2002-0750", "CVE-2002-0751", "CVE-2002-0752", "CVE-2002-0917", "CVE-2002-0955", "CVE-2002-1334", "CVE-2002-1334", "CVE-2002-1526", "CVE-2003-0153" ); script_bugtraq_id( 1784, 2177, 2197, 4211, 4579, 5078, 6265 ); script_name(english:"Multiple Dangerous CGI Script Detection"); script_summary(english:"Checks for dangerous cgi scripts"); script_set_attribute(attribute:"synopsis", value: "The remote web server may contain some dangerous CGI scripts." ); script_set_attribute(attribute:"description", value: "It is possible that the remote web server contains one or more dangerous CGI scripts. Note that this plugin does not actually test for the underlying flaws but instead only searches for scripts with the same name as those with known vulnerabilities." ); script_set_attribute(attribute:"solution", value: "Visit http://cve.mitre.org/ and check the associated CVE entry for each script found. If you are running a vulnerable version, then delete or upgrade the script." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:ND/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(22); script_set_attribute(attribute:"plugin_publication_date", value:"2003/06/17"); script_set_attribute(attribute:"vuln_publication_date", value: "2001/01/07"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_ATTACK); script_copyright(english:"This script is Copyright (C) 2003-2020 John Lampe"); script_family(english:"CGI abuses"); script_dependencie("find_service1.nasl", "http_version.nasl"); script_require_ports("Services/www", 80); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_keys("Settings/ThoroughTests", "Settings/ParanoidReport"); exit(0); } # # The script code starts here # include("http_func.inc"); include("http_keepalive.inc"); include("global_settings.inc"); if ( report_paranoia < 2 || ! thorough_tests ) exit(0, "This plugin is slow and prone to FP: it will only run in 'paranoid' mode and if the 'Perform thorough tests' setting enabled."); port = get_http_port(default:80, embedded:TRUE); if ( get_kb_item("www/no404/" + port ) || ! port) exit(0); if(!get_port_state(port))exit(0); cgi[0] = "AT-admin.cgi"; cve[0] = "CVE-1999-1072"; cgi[1] = "CSMailto.cgi"; cve[1] = "CVE-2002-0749"; # and CVE-2002-0750, CVE-2002-0751, and CVE-2002-0752 cgi[2] = "UltraBoard.cgi"; cve[2] = "CVE-2001-0135"; cgi[3] = "UltraBoard.pl"; cve[3] = cve[2]; cgi[4] = "YaBB.cgi"; cve[4] = "CVE-2002-0955"; cgi[5] = "a1disp4.cgi"; cve[5] = "CVE-2001-0562"; cgi[6] = "alert.cgi"; cve[6] = "CVE-2002-0346"; cgi[7] = "authenticate.cgi"; cve[7] = "CVE-2000-0923"; cgi[8] = "bbs_forum.cgi"; cve[8] = "CVE-2001-0123"; cgi[9] = "bnbform.cgi"; cve[9] = "CVE-1999-0937"; cgi[10] = "bsguest.cgi"; cve[10] = "CVE-2001-0099"; cgi[11] = "bslist.cgi"; cve[11] = "CVE-2001-0100"; cgi[12] = "catgy.cgi"; cve[12] = "CVE-2001-1212"; cgi[13] = "cgforum.cgi"; cve[13] = "CVE-2000-1132"; cgi[14] = "classifieds.cgi"; cve[14] = "CVE-1999-0934"; cgi[15] = "csPassword.cgi"; cve[15] = "CVE-2002-0917"; cgi[16] = "cvsview2.cgi" ; cve[16] = "CVE-2003-0153"; cgi[17] = "cvslog.cgi"; cve[17] = cve[16]; cgi[18] = "multidiff.cgi"; cve[18] = "CVE-2003-0153"; cgi[19] = "dnewsweb.cgi"; cve[19] = "CVE-2000-0423"; cgi[20] = "download.cgi"; cve[20] = "CVE-1999-1377"; cgi[21] = "edit_action.cgi"; cve[21] = "CVE-2001-1196"; cgi[22] = "emumail.cgi"; cve[22] = "CVE-2002-1526"; cgi[23] = "everythingform.cgi"; cve[23] = "CVE-2001-0023"; cgi[24] = "ezadmin.cgi"; cve[24] = "CVE-2002-0263"; cgi[25] = "ezboard.cgi"; cve[25] = "CVE-2002-0263"; cgi[26] = "ezman.cgi"; cve[26] = cve[25]; cgi[27] = "ezadmin.cgi"; cve[27] = cve[25]; cgi[28] = "FileSeek.cgi"; cve[28] = "CVE-2002-0611"; cgi[29] = "fom.cgi"; cve[29] = "CVE-2002-0230"; cgi[30] = "gbook.cgi"; cve[30] = "CVE-2000-1131"; cgi[31] = "getdoc.cgi"; cve[31] = "CVE-2000-0288"; cgi[32] = "global.cgi"; cve[32] = "CVE-2000-0952"; cgi[33] = "guestserver.cgi"; cve[33] = "CVE-2001-0180"; cgi[34] = "imageFolio.cgi"; cve[34] = "CVE-2002-1334"; cgi[35] = "lastlines.cgi"; cve[35] = "CVE-2001-1205"; cgi[36] = "mailfile.cgi"; cve[36] = "CVE-2000-0977"; cgi[37] = "mailview.cgi"; cve[37] = "CVE-2000-0526"; cgi[38] = "sendmessage.cgi"; cve[38] = "CVE-2001-1100"; cgi[39] = "nsManager.cgi"; cve[39] = "CVE-2000-1023"; cgi[40] = "perlshop.cgi"; cve[40] = "CVE-1999-1374"; cgi[41] = "readmail.cgi"; cve[41] = "CVE-2001-1283"; cgi[42] = "printmail.cgi"; cve[42] = cve[41]; cgi[43] = "register.cgi"; cve[43] = "CVE-2001-0076"; cgi[44] = "sendform.cgi"; cve[44] = "CVE-2002-0710"; cgi[45] = "sendmessage.cgi"; cve[45] = "CVE-2001-1100"; cgi[46] = "service.cgi"; cve[46] = "CVE-2002-0346"; cgi[47] = "setpasswd.cgi"; cve[47] = "CVE-2001-0133"; cgi[48] = "simplestmail.cgi"; cve[48] = "CVE-2001-0022"; cgi[49] = "simplestguest.cgi"; cve[49] = cve[48]; cgi[50] = "talkback.cgi"; cve[50] = "CVE-2001-0420"; cgi[51] = "ttawebtop.cgi"; cve[51] = "CVE-2002-0203"; cgi[52] = "ws_mail.cgi"; cve[52] = "CVE-2001-1343"; cgi[53] = "survey.cgi"; cve[53] = "CVE-1999-0936"; cgi[54] = "rxgoogle.cgi"; cve[54] = "CVE-2004-0251"; cgi[55] = "ShellExample.cgi"; cve[55] = "CVE-2004-0696"; cgi[56] = "Web_Store.cgi"; cve[56] = "CVE-2004-0734"; cgi[57] = "csFAQ.cgi"; cve[57] = "CVE-2004-0665"; flag = 0; directory = ""; mymsg = string("\n", "The following dangerous CGI scripts were found :", "\n\n"); for (i = 0 ; cgi[i]; i = i + 1) { foreach dir (cgi_dirs()) { if(is_cgi_installed_ka(item:string(dir, "/", cgi[i]), port:port)) { flag = 1; mymsg = mymsg + string(" - ", dir, "/", cgi[i], " (", cve[i], ")\n"); } } } if (flag) { security_hole(port:port, extra:mymsg); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-109.NASL description Due to unescaped HTML code Faq-O-Matic returned unverified scripting code to the browser. With some tweaking this enables an attacker to steal cookies from one of the Faq-O-Matic moderators or the admin. Cross-Site Scripting is a type of problem that allows a malicious person to make another person run some JavaScript in their browser. The JavaScript is executed on the victims machine and is in the context of the website running the Faq-O-Matic Frequently Asked Question manager. last seen 2020-06-01 modified 2020-06-02 plugin id 14946 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14946 title Debian DSA-109-1 : faqomatic - XSS vulnerability code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-109. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(14946); script_version("1.17"); script_cvs_date("Date: 2019/08/02 13:32:16"); script_cve_id("CVE-2002-0230"); script_xref(name:"DSA", value:"109"); script_name(english:"Debian DSA-109-1 : faqomatic - XSS vulnerability"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Due to unescaped HTML code Faq-O-Matic returned unverified scripting code to the browser. With some tweaking this enables an attacker to steal cookies from one of the Faq-O-Matic moderators or the admin. Cross-Site Scripting is a type of problem that allows a malicious person to make another person run some JavaScript in their browser. The JavaScript is executed on the victims machine and is in the context of the website running the Faq-O-Matic Frequently Asked Question manager." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2002/dsa-109" ); script_set_attribute( attribute:"solution", value: "Upgrade the faqomatic package if you have it installed. This problem has been fixed in version 2.603-1.2 for the stable Debian distribution and version 2.712-2 for the current testing/unstable distribution." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:faqomatic"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2"); script_set_attribute(attribute:"patch_publication_date", value:"2002/02/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"2.2", prefix:"faqomatic", reference:"2.603-1.2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");