XSS Hole in Fluid Dynamics search Engine

From: VALDEUXat_private
Date: Wed Jul 10 2002 - 08:48:09 PDT

Next message: hubbelyoat_private: "Re: iPlanet Remote File Viewing"

Previous message: Olaf Kirch: "SuSE Security Announcement: Resolver (SuSE-SA:2002:026)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Name :      FD Search Engine
Vendor :    Fluid Dynamics - http://www.xav.com
Version :   Probably all
Demo :      http://www.xav.com/search.pl

Note :  Sorry for my poor english ...
-------------------------------------



PROBLEM
    For a multiple result pages search, the script uses the variable Rank wich
contains current result number.
    Anything could be written into, including HTML tags.


EXEMPLE
    http://www.xav.com/search.pl?Realm=All&Match=0&Terms=test&nocpp=1&maxhits=10&
Rank=<br><h1>XSS</h1>
Note : it works because "test" returns several pages.

SOLUTION
    None yet.

Next message: hubbelyoat_private: "Re: iPlanet Remote File Viewing"
Previous message: Olaf Kirch: "SuSE Security Announcement: Resolver (SuSE-SA:2002:026)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 10 2002 - 15:57:23 PDT