The `%.80s' string is used to print the URL for 404 errors, but without escapement. Since the URL comes from the user, <script> code could be added to it to cause the server to send an arbitrary script.
This issue applies to the Texis Monitor web server, which is used if you installed the Windows version of Webinator with the Texis ISAPI filter. If you have a maintenance contract with Thunderstone, contact us about an upgrade to address this issue. In the meantime, a hotfix can be applied with the following procedure:
1) Stop all Webinator crawls.
2) cd to your Texis/Webinator executable dir (the dir with monitor.exe, eg. c:\morph3)
3) Back up the executable:
copy monitor.exe monitor-org.exe
4) Copy the following 16-line script to an ASCII text file named fix. Be sure to copy it *exactly*:
<script language=vortex>
<timeout=-1></timeout>
<a name=main>
<vxcp htmlmode off>
<read "monitor-org.exe">
<if "" eq $ret>Error: Could not read file<exit 1></if>
<strfmt "%U" $ret>
<sandr ">>\+method\+%60\P=%25s" "%25H" $ret>
<sandr ">>\+method\+%27\P=%25s" "%25H" $ret>
<sandr ">>\+syntax%3A\+\P=%25s" "%25H" $ret>
<sandr ">>\+URL\+%27\P=%25\.80s" "%25.80H" $ret>
<sandr ">>\+URL\+is\+%27\P=%25s" "%25H" $ret>
<write "monitor-fix.exe"><fmt "%!U" $ret></write>
Patches applied.
</a>
</script>
6) Apply the patches to create monitor-fix.exe by running the script:
texis fix
This should create monitor-fix.exe. There should be no error messages printed. The resulting monitor-fix.exe will be the same size as monitor-org.exe.
7) Stop the Texis Monitor Service (or run monitor -k to do so from the command line). This will allow monitor.exe to be replaced.
8) Propagate the patched executable:
copy /y monitor-fix.exe texis.exe
copy /y monitor-fix.exe monitor.exe
9) Re-start the Texis Monitor web service, or from the command line:
start /B monitor
