From: Geoff H. <ghu...@ws...> - 2002-06-28 17:25:44
|
On 27 Jun 2002, Scott Gifford wrote: > Saw this on BugTraq just now. http://www.anyhost.com/cgi-bin/htsearch.cgi?words=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E I don't think this is actually a problem with properly-formatted templates under 3.1.6 or 3.2.0b3-3.2.0b4. The question is the $(WORDS) variable substitution--where this query would "hijack" it and put in the <script> attack. e.g. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html><head><title>Search results for '$&(WORDS)'</title></head> <body bgcolor="#eef7ff"> But the current header.html files have $&(WORDS) which is HTML-escaped, so the <script> would be rendered in the file as <script> which shouldn't cause any problems. Unfortunately Gilles is on vacation, but I don't see any vulnerability in the default-installed 3.1.6. Now, it's probably worth pointing this out to users that they should upgrade to a recent version and make sure your templates use $&(VAR) where necessary to avoid XSS attacks. But I don't see this as a hole in htsearch. -- -Geoff Hutchison Williams Students Online http://wso.williams.edu/ |