Full Disclosure mailing list archives
XSS in yacy 0.31
From: "Donato Ferrante" <fdonato () autistici org>
Date: Fri, 24 Dec 2004 14:52:36 -0000
Donato Ferrante Application: yacy http://www.yacy.net Version: 0.31 Bug: cross site scripting Date: 24-Dec-2004 Author: Donato Ferrante e-mail: fdonato () autistici org web: www.autistici.org/fdonato xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 1. Description 2. The bug 3. The code 4. The fix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ---------------- 1. Description: ---------------- Vendor's Description: "YACY: a Java Freeware Open-Source Caching HTTP Proxy and Global P2P-Based Search Engine" xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------ 2. The bug: ------------ The input strings, into some field, are not filtered by the server so they will appear in the returned page. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------- 3. The code: ------------- To test the vulnerability, try for example: 1. http://[host]:8080/index.html?urlmaskfilter=[XSS] - 2. http://[host]:8080/Wiki.html?page=[XSS] - xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------ 4. The fix: ------------ Bug fixed in the version 0.32. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- XSS in yacy 0.31 Donato Ferrante (Dec 24)