On 27 Jun 2002, Scott Gifford wrote:
> Saw this on BugTraq just now.
I don't think this is actually a problem with properly-formatted templates
under 3.1.6 or 3.2.0b3-3.2.0b4. The question is the $(WORDS) variable
substitution--where this query would "hijack" it and put in the <script>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html><head><title>Search results for '$&(WORDS)'</title></head>
But the current header.html files have $&(WORDS) which is HTML-escaped, so
the <script> would be rendered in the file as <script> which
shouldn't cause any problems.
Unfortunately Gilles is on vacation, but I don't see any vulnerability in
the default-installed 3.1.6. Now, it's probably worth pointing this out to
users that they should upgrade to a recent version and make sure your
templates use $&(VAR) where necessary to avoid XSS attacks. But I don't
see this as a hole in htsearch.
Williams Students Online