...
When fed a benign name, such as Larry, this script works well enough:
IMAGE
But this code will happily parse image tags, HTML markup, Javascript, or any other commands an attacker may wish to send. The following picture demonstrates a remote image being loaded into the page on the request of the attacker:
IMAGE
In this case the trust boundary exists between the untrusted data and the CGI script, whereas the trusted domain is the web browser; or rather the HTML parsing and rendering engine within the web browser.
...
When fed the malicious image tag demonstrated above, the escapeHTML() subroutine sanitizes characters that might be misinterpreted by a web browser, causing the name to appear exactly as it was entered:
IMAGE
Risk Assessment
...
[CPAN] Stosberg, Mark. CGI
Vulnerability Note VU#246409: Input validation error in quikstore.cgi allows attackers to execute commands
...
03. Expressions EXP30-PL. Do not use deprecated or obsolete functionsIDS32-PL. Validate any integer that is used an array index 01. Input Validation and Data Sanitization 02. Declarations and Initialization