Full Disclosure mailing list archives
Cross Site Scripting Advisory.
From: full () oakey no-ip com
Date: Wed, 12 Feb 2003 10:54:48 +0000 (GMT)
uk2sec Search Tool Cross Site Scripting Advisory by c0w_d0g3 [ We would just like to say hello to the list as is our first post ] uk2sec () oakey no-ip com == Advisory == Many many websites run a 'site search' tool on their webpage with a URL that looks like this: /search/index.cfm I am having trouble locating a specific vendor, but according to windows the possible applications that may run it are: .CFM Corel FontMaster Cold Fusion Template File Visual dBASE Windows Customer Form Furthermore, 100% of all the systems we have tested are running IIS/4.0 or IIS/5.0. A quick search on google returns about 165'000 hits for the search tool. To connect directly to the search tool - its usually: http://www.example.com/search/index.cfm There are several ways to demo the Cross Site Scripting problem. The first is connect directly to the /search/index.cfm page and in the search box type: <script>alert("uk2sec")</script> And that works. Sometimes however you need to change this slightly to: http://www.example.com/search/index.cfm?<script>alert("uk2sec")</script> And connect... (it will still give you the same page) And then in the search box (there may be more than one box for detailed searches but just fire it into any) type: <script>alert("uk2sec")</script> Press enter to search, and it'll work. This was tested on Multiple browsers as well (mozilla, IE, konqueror). Live examples are not allowed on this list, however its not hard to find somewhere to test it. Points to consider - sometimes the java script in the URL you request, must be the same script as the one you put in the search box (or thats just what we found on one site we tested). Regards, c0w_d0g3 uk2sec c0w_d0g3 () yahoo co uk Members: c0w_d0g3, deadbeat. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Cross Site Scripting Advisory. full (Feb 12)