OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Zoltan Milosevic (zoltanm_at_xav.com)
Date: Wed Jul 10 2002 - 12:16:11 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hello,

    Thanks for this bug report.

    I have released an updated version which includes a fix (FDSE version
    2.0.0.0055). For the folks at securitybugware.org and
    securityfocus.com, would you please include a mention of this update if
    you issue a report.

    Thanks,
    Zoltan Milosevic
    (360) 944-8387

    Fluid Dynamics Search Engine
    http://www.xav.com/scripts/search/

    -----Original Message-----
    From: valdeux [mailto:valdeuxaol.com]
    Sent: Wednesday, July 10, 2002 7:40 AM
    To: scriptsnickname.net; contactsecuritybugware.org;
    bugtraqsecurityfocus.com; valdeuxaol.com
    Subject: XSS Hole in Fluid Dynamics Search engine

    Name : FD Search Engine
    Vendor : Fluid Dynamics - http://www.xav.com
    Version : Probably all
    Demo : http://www.xav.com/search.pl

    Note : Sorry for my poor english ...
    -------------------------------------

    PROBLEM
            For a multiple result pages search, the script uses the variable
    Rank wich
    contains current result number.
            Anything could be written into, including HTML tags.

    EXEMPLE
            
    http://www.xav.com/search.pl?Realm=All&Match=0&Terms=test&nocpp=1&maxhit
    s=10&
    Rank=<br><h1>XSS</h1>
            Note : it works because "test" returns several pages.

    SOLUTION
            None yet.