From: Roland B. <rb@Space.Net> - 2004-08-17 17:07:13
|
Hi there, ht://dig 3.1.6 (and maybe newer versions) seems to be vulnerable for "phishing"-attacks when using the $(WORDS) variable in the resultemplates. When I call htsearch like this: /cgi-bin/htsearch?words=%3Cfont%20color=%22red%22%3Ehello%3C/font%3E and the nomatch-template looks like this: No results for '$(WORDS)' the result is No result for '<font color="red">hello</font>' This makes any website using the $(WORDS) variable in the resultemplates vulnerable to "phishing"-attacks. It should be enough to replace "<" and ">" by "<" and ">" in $(WORDS) (and maybe other variables) before output to close this vulnerability. Could anyone provide a patch to fix this or is this already fixed in 3.2.x? Regards, Roland |