Anglers.NET CGI Vulnerability: XSS/Open Redirect and Patch Guide

Critical Vulnerability Information Summary Public Disclosure Date: June 24, 2019 Latest Update Date: December 25, 2023 Vulnerability Description: A vulnerability exists in the access log parsing CGI deployed on websites released prior to June 24, 2019. Third parties may view parsing pages or access management interfaces, execute unintended JavaScript, posing a security risk. An update on December 25, 2023, added information about an open redirect vulnerability. Vulnerability Details and Risks Third parties can view parsing pages; malicious access may lead to execution of unintended JavaScript, creating security risks. December 25, 2023 Update: In links generated by link elements, malicious websites may exploit open redirect attacks to compromise certain content. Mitigation Measures For users who were using the service before December 24, 2023, please follow these steps: - Download the latest scripts and replace existing files with extensions. - Delete the old file. (Added on December 25, 2023.) Configuration File Check: Ensure the configuration file ( ) is not directly accessible via browser. Server misconfigurations may allow direct access to the config file. If accessible, perform the following: - Example URL to check: - Ensure the downloaded folder contains a file named , which should be renamed to and placed in the folder. This will trigger a warning indicating that script settings cannot be modified. Change password for the management login interface. Parsing HTML: The following HTML example is displayed under . Remove the parts marked in red and make the following modifications. Acknowledgments and Update History Acknowledgments: We thank Mr. Yuta Watanabe of STNet for providing valuable information. Update History: - June 24, 2019: This page was publicly disclosed. - December 25, 2023: Open redirect vulnerability information was added. Contact Information Company: Anglers Net Co., Ltd. (有限会社アングラーズネット) Email: info@anglers.net.com Copyright: © Copyright 2009-10 ANGLERS.NET Co., Ltd. All rights reserved.

Goal Reached Thanks to every supporter — we hit 100%!

Anglers.NET CGI Vulnerability: XSS/Open Redirect and Patch Guide