Bugtraq mailing list archives
Re: XSS in HTDIG
From: Peter Watkins <peterw () usa net>
Date: Thu, 27 Jun 2002 16:25:24 -0400
On Wed, Jun 26, 2002 at 01:38:48AM -0700, Howard Yeend wrote:
Eg; http://www.anyhost.com/cgi-bin/htsearch.cgi?words=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E (all URLS must be on one line) Apologies if this is a known issue. Apologies also for posting about XSS, too, but this is not an isolated website, but a commonly used service.
Howard, What version is this? With the sample templates in ht://Dig version 3.1.6, the "words" info seems to be properly escaped -- I just see the <script> stuff inside the text input box, and translated on the page. For example, http://www.htdig.org/cgi-bin/htsearch?config=htdig;words=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E My example URL suggests that version 3.1.5 is also immune, though 3.1.5 has other issues that 3.1.6 resolves -- see http://online.securityfocus.com/bid/3410 and http://www.htdig.org/index.html -Peter -- Peter Watkins - peterw () tux org - peterw () usa net - http://www.tux.org/~peterw/ Private personal mail: use PGP key F4F397A8; more sensitive data? Use 2D123692
Current thread:
- XSS in HTDIG Howard Yeend (Jun 26)
- Re: XSS in HTDIG Peter Watkins (Jun 28)
- Re: XSS in HTDIG Henrik Edlund (Jun 28)
- Re: XSS in HTDIG webmaster (Stephen Ostermiller) (Jun 28)
- Re: XSS in HTDIG Peter Watkins (Jun 28)