|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[sec-adv] Vivísimo Content Engine Search Parameter Cross-Site Scripting
From: Secunia Security Advisories (sec-adv
secunia.com)
Date: Mon Oct 20 2003 - 09:15:45 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
TITLE:
Vivísimo Content Engine Search Parameter Cross-Site Scripting
SECUNIA ADVISORY ID:
SA10033
VERIFY ADVISORY:
http://www.secunia.com/advisories/10033/
CRITICAL:
Less critical
IMPACT:
Cross Site Scripting
WHERE:
From remote
SOFTWARE:
Vivísimo Content Engine
DESCRIPTION:
A vulnerability has been reported in Vivísimo Content Engine, which
can be exploited by malicious people to conduct Cross-Site Scripting
attacks against other users.
The vulnerability is caused due to missing input validation when
processing users' search queries. This can be exploited by supplying
arbitrary HTML or script code to the "query" parameter, which will be
executed in a user's browser session when viewed.
Example:
http://[victim]/search?query=<script>alert(document.domain)</script>
SOLUTION:
Filter malicious characters in a HTTP proxy or firewall with URL
filtering capabilities.
REPORTED BY / CREDITS:
ComSec
----------------------------------------------------------------------
Secunia recommends that you verify all advisories you receive, by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
Contact details:
Web : http://www.secunia.com/
E-mail : supportsecunia.com
Tel : +45 7020 5144
Fax : +45 7020 5145
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
----------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]