CVE-2002-1008

Lil' HTTP Server - Cross-Site Scripting via urlcount.cgi REPORT Function

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2002-1008. PoCs published by Matthew Murphy.

AI-analyzed exploit summary The exploit demonstrates an HTML injection vulnerability in Lil' HTTP Server's 'urlcount.cgi' script, allowing arbitrary HTML to be injected into the reports page via insufficient sanitization of user input.

Description

Cross-site scripting vulnerability in PowerBASIC urlcount.cgi, as included in Lil' HTTP web server, allows remote attackers to execute arbitrary web script in other web browsers via a request to urlcount.cgi that contains the script, which is not filtered when the REPORT capability prints the original request.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Matthew Murphy · textremotewindows
https://www.exploit-db.com/exploits/21581

The exploit demonstrates an HTML injection vulnerability in Lil' HTTP Server's 'urlcount.cgi' script, allowing arbitrary HTML to be injected into the reports page via insufficient sanitization of user input.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Lil' HTTP Server
No auth needed
Prerequisites: Access to the target server's 'urlcount.cgi' script
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/5115
Vendor Advisory vdb-entry x_refsource_xf
http://www.iss.net/security_center/static/9445.php
Third Party Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-07/0072.html
Third Party Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0332.html

Scores

EPSS 0.0710
EPSS Percentile 93.4%

Details

Status published
Products (2)
summit_computer_networks/lil_http_server 2.1
summit_computer_networks/lil_http_server 2.2
Published Oct 04, 2002
Tracked Since Feb 18, 2026