Cross Site Scripting Advisory.

[full () oakey no-ip com]

uk2sec Search Tool Cross Site Scripting Advisory
by c0w_d0g3

[ We would just like to say hello to the list as is our first post ]

uk2sec () oakey no-ip com


== Advisory ==

Many many websites run a 'site search' tool on their webpage with a URL  
that looks like this:

/search/index.cfm

I am having trouble locating a specific vendor, but according to windows
the possible applications that may run it are:

  .CFM  Corel FontMaster
        Cold Fusion Template File
        Visual dBASE Windows Customer Form

Furthermore, 100% of all the systems we have tested are running IIS/4.0 or 
IIS/5.0.

A quick search on google returns about 165'000 hits for the search tool.

To connect directly to the search tool - its usually:

http://www.example.com/search/index.cfm 


There are several ways to demo the Cross Site Scripting problem.

The first is connect directly to the /search/index.cfm page and in the 
search box type:

<script>alert("uk2sec")</script>

And that works.


Sometimes however you need to change this slightly to:

http://www.example.com/search/index.cfm?<script>alert("uk2sec")</script>

And connect...  (it will still give you the same page)

And then in the search box (there may be more than one box for detailed 
searches but just fire it into any) type:

<script>alert("uk2sec")</script>

Press enter to search, and it'll work.


This was tested on Multiple browsers as well (mozilla, IE, konqueror).

Live examples are not allowed on this list, however its not hard to find 
somewhere to test it.

Points to consider - sometimes the java script in the URL you request, must 
be the same script as the one you put in the search box (or thats just 
what we found on one site we tested).


Regards,

c0w_d0g3
uk2sec


c0w_d0g3 () yahoo co uk

Members:

c0w_d0g3, deadbeat.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html