Menu

#756 Advanced Search XSS vulnerability | OBB-1330131

v1.0 (example)
closed-fixed
Ahasuerus
None
5
2022-10-23
2020-09-14
Dirk Stoecker
No

Fixes https://www.openbugbounty.org/reports/1330131/ reported for my instance.

Index: biblio/adv_search_results.py
===================================================================
--- biblio/adv_search_results.py        (Revision 551)
+++ biblio/adv_search_results.py        (Arbeitskopie)
@@ -49,7 +49,7 @@

         def results(self):
                 self.parse_parameters()

-                PrintHeader("Advanced %s Search" % self.search_type)
+                PrintHeader("Advanced %s Search" % cgi.escape(self.search_type))
                 PrintNavbar('adv_search_results', 0, 0, 0, 0)
                 self.set_search_type()
                 self.process_terms()

Discussion

  • Anonymous

    Anonymous - 2020-09-16

    Catch also error messages
    ~~~
    Index: sources/biblio/adv_search_results.py
    ===================================================================
    --- sources/biblio/adv_search_results.py (Revision 551)
    +++ sources/biblio/adv_search_results.py (Arbeitskopie)
    @@ -49,7 +49,7 @@

         def results(self):
             self.parse_parameters()
    • PrintHeader("Advanced %s Search" % self.search_type)
    • PrintHeader("Advanced %s Search" % cgi.escape(self.search_type))
      PrintNavbar('adv_search_results', 0, 0, 0, 0)
      self.set_search_type()
      self.process_terms()
      @@ -68,10 +68,10 @@
      if display_header:
      PrintHeader('Advanced Search')
      PrintNavbar('adv_search_results', 0, 0, 0, 0)
    • self.display_message('Error: %s' % message)

    • self.display_message('Error: %s' % cgi.escape(message))

       def display_message(self, message):

    • print '

      %s

      ' % message

    • print '

      %s

      ' % cgi.escape(message)
      PrintTrailer('adv_search_results', 0, 0)
      sys.exit(0)
      ~~~
     

  • Dirk Stoecker

    Dirk Stoecker - 2020-09-16

    Proper formatted, no double encoding

    Index: sources/biblio/adv_search_results.py
===================================================================
--- sources/biblio/adv_search_results.py        (Revision 551)
+++ sources/biblio/adv_search_results.py        (Arbeitskopie)
@@ -49,7 +49,7 @@

         def results(self):
                 self.parse_parameters()

-                PrintHeader("Advanced %s Search" % self.search_type)
+                PrintHeader("Advanced %s Search" % cgi.escape(self.search_type))
                 PrintNavbar('adv_search_results', 0, 0, 0, 0)
                 self.set_search_type()
                 self.process_terms()
@@ -71,7 +71,7 @@
                 self.display_message('Error: %s' % message)

         def display_message(self, message):

-                print '<h2>%s</h2>' % message
+                print '<h2>%s</h2>' % cgi.escape(message)
                 PrintTrailer('adv_search_results', 0, 0)
                 sys.exit(0)
     

  • Dirk Stoecker

    Dirk Stoecker - 2020-09-26

    A third issue in this page:

    Index: biblio/adv_search_results.py
===================================================================
--- biblio/adv_search_results.py        (Revision 551)
+++ biblio/adv_search_results.py        (Arbeitskopie)
@@ -49,7 +49,7 @@

         def results(self):
                 self.parse_parameters()

-                PrintHeader("Advanced %s Search" % self.search_type)
+                PrintHeader("Advanced %s Search" % cgi.escape(self.search_type))
                 PrintNavbar('adv_search_results', 0, 0, 0, 0)
                 self.set_search_type()
                 self.process_terms()
@@ -71,7 +71,7 @@
                 self.display_message('Error: %s' % message)

         def display_message(self, message):

-                print '<h2>%s</h2>' % message
+                print '<h2>%s</h2>' % cgi.escape(message)
                 PrintTrailer('adv_search_results', 0, 0)
                 sys.exit(0)

@@ -359,7 +359,7 @@
                                 if operator_tuple[0] == selection[1]:
                                         print operator_tuple[1]
                                         break

-                        print selection[2]
+                        print cgi.escape(selection[2])
                 print '<br>Sort by %s' % self.sort_name

         def print_pub_results(self):
     

  • Ahasuerus

    Ahasuerus - 2020-11-20
    • summary: isfdb Cross Site Scripting vulnerability | OBB-1330131 --> Advanced Search XSS vulnerability | OBB-1330131
    • assigned_to: Ahasuerus
     

  • Ahasuerus

    Ahasuerus - 2020-11-20
    • status: open --> closed-fixed
     

  • Ahasuerus

    Ahasuerus - 2020-11-20

    Fixed in biblio/adv_search_results.py , installed in SVN 575 on 2020-11-20. Closing the Bug.

     

Anonymous
Anonymous

Add attachments
Cancel





MongoDB Logo MongoDB