Bugtraq mailing list archives
RE: XSS Hole in Fluid Dynamics Search engine
From: "Zoltan Milosevic" <zoltanm () xav com>
Date: Wed, 10 Jul 2002 10:16:11 -0700
Hello, Thanks for this bug report. I have released an updated version which includes a fix (FDSE version 2.0.0.0055). For the folks at securitybugware.org and securityfocus.com, would you please include a mention of this update if you issue a report. Thanks, Zoltan Milosevic (360) 944-8387 Fluid Dynamics Search Engine http://www.xav.com/scripts/search/ -----Original Message----- From: valdeux [mailto:valdeux () aol com] Sent: Wednesday, July 10, 2002 7:40 AM To: scripts () nickname net; contact () securitybugware org; bugtraq () securityfocus com; valdeux () aol com Subject: XSS Hole in Fluid Dynamics Search engine Name : FD Search Engine Vendor : Fluid Dynamics - http://www.xav.com Version : Probably all Demo : http://www.xav.com/search.pl Note : Sorry for my poor english ... ------------------------------------- PROBLEM For a multiple result pages search, the script uses the variable Rank wich contains current result number. Anything could be written into, including HTML tags. EXEMPLE http://www.xav.com/search.pl?Realm=All&Match=0&Terms=test&nocpp=1&maxhit s=10& Rank=<br><h1>XSS</h1> Note : it works because "test" returns several pages. SOLUTION None yet.
Current thread:
- RE: XSS Hole in Fluid Dynamics Search engine Zoltan Milosevic (Jul 10)
- <Possible follow-ups>
- XSS Hole in Fluid Dynamics search Engine VALDEUX (Jul 10)