|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Zoltan Milosevic (zoltanm_at_xav.com)
Date: Wed Jul 10 2002 - 12:16:11 CDT
Hello,
Thanks for this bug report.
I have released an updated version which includes a fix (FDSE version
2.0.0.0055). For the folks at securitybugware.org and
securityfocus.com, would you please include a mention of this update if
you issue a report.
Thanks,
Zoltan Milosevic
(360) 944-8387
Fluid Dynamics Search Engine
http://www.xav.com/scripts/search/
-----Original Message-----
From: valdeux [mailto:valdeux
aol.com]
Sent: Wednesday, July 10, 2002 7:40 AM
To: scriptsnickname.net; contactsecuritybugware.org;
bugtraqsecurityfocus.com; valdeuxaol.com
Subject: XSS Hole in Fluid Dynamics Search engine
Name : FD Search Engine
Vendor : Fluid Dynamics - http://www.xav.com
Version : Probably all
Demo : http://www.xav.com/search.pl
Note : Sorry for my poor english ...
-------------------------------------
PROBLEM
For a multiple result pages search, the script uses the variable
Rank wich
contains current result number.
Anything could be written into, including HTML tags.
EXEMPLE
http://www.xav.com/search.pl?Realm=All&Match=0&Terms=test&nocpp=1&maxhit
s=10&
Rank=<br><h1>XSS</h1>
Note : it works because "test" returns several pages.
SOLUTION
None yet.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]