Re: Cross-Site Scripting Vulnerability in Wrensoft Zoom Search Engine

[Chris Sharp <illectro2001 () yahoo com>]

Looks like it also affects the asp pages too

search.asp?query=<script>alert(document.cookie)</script>

Chris

--- Sintelli SINTRAQ <sintraq () sintelli com> wrote:
> Cross-Site Scripting Vulnerability in Wrensoft Zoom
> Search Engine
> 09 October 2003
>
> PDF version:
http://www.sintelli.com/adv/sa-2003-02-zoomsearch.pdf
> Background
> Zoom is a package that adds search facilities to
> your website and produces
> fast search results by indexing your website in
> advance. Unlike other
> solutions relying on server-side software, Zoom
> allows you to do this from
> the convenience of your own Windows computer.
>
> More information about the product is available
> here:
> http://www.wrensoft.com/zoom/index.html
>
> Description
> The Zoom Search engine does not properly filter user
> supplied input when
> displaying the search results. This issue allows
> remote attacker to inject
> malicious code in the target system. All the code
> will be executed within
> the context of the website.  An example of such an
> attack is
http://www.victim.com/search.php?zoom_query=<script>alert("hello")</script><script>alert("hello")</script>
> In order for the attack to work a user must click on
> one of these specially
> crafted URLs, which can be sent by email to the
> user, or by the using
> clicking on a link.
>
> Impact
> It is possible for an attacker to retrieve
> information from a user's system.
>
> Versions affected
> Version 2.0 - Build: 1018 (Earlier builds may be
> vulnerable)
>
> Solution
> Upgrade to Build 1019. This can be downloaded from
> http://www.wrensoft.com/ftp/zoomsearch.exe
>
>
> Vulnerability History
> 30 Sep 2003             Identified by Ezhilan of
> Sintelli
> 01 Oct 2003             Issue disclosed to Wrensoft
> 02 Oct 2003             Second notification to
> Wrensoft
> 02 Oct 2003             Vulnerability confirmed by
> Raymond Leung of
> Wrensoft.
> 08 Oct 2003             Sintelli informed of fix
> Wrensoft
> 08 Oct 2003             Sintelli confirms
> vulnerability has been addressed
> 08 Oct 2003             Build 1019 available
> 09 Oct 2003             Sintelli Public Disclosure
>
> Credit
> Ezhilan of Sintelli discovered this vulnerability.
>
> About Sintelli:
> Sintelli is the world's largest provider of security
> intelligence solutions.
> Sintelli is the definitive source for IT Security
> intelligence and is a
> provider of third generation intelligence security
> solutions.
>
> Request a free trial of our alerting solution by
> clicking here
> http://www.sintelli.com/free-trial.htm
>
> Copyright 2003 Sintelli Limited.  All rights
> reserved. www.sintelli.com
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
http://lists.netsys.com/full-disclosure-charter.html


__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html