[25991] in bugtraq
Re: XSS in HTDIG
daemon@ATHENA.MIT.EDU (Peter Watkins)
Fri Jun 28 16:20:09 2002
Date: Thu, 27 Jun 2002 16:25:24 -0400
From: Peter Watkins <peterw@usa.net>
To: Howard Yeend <h_bugtraq@yahoo.com>
Cc: bugtraq@securityfocus.com
Message-ID: <20020627162524.A25470@usa.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020626083848.41999.qmail@web20304.mail.yahoo.com>; from h_bugtraq@yahoo.com on Wed, Jun 26, 2002 at 01:38:48AM -0700
On Wed, Jun 26, 2002 at 01:38:48AM -0700, Howard Yeend wrote:
> Eg;
>
> http://www.anyhost.com/cgi-bin/htsearch.cgi?words=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E
>
> (all URLS must be on one line)
>
> Apologies if this is a known issue.
> Apologies also for posting about XSS, too, but
> this is not an isolated website, but a commonly
> used service.
Howard,
What version is this? With the sample templates in ht://Dig version 3.1.6,
the "words" info seems to be properly escaped -- I just see the <script>
stuff inside the text input box, and translated on the page. For example,
http://www.htdig.org/cgi-bin/htsearch?config=htdig;words=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E
My example URL suggests that version 3.1.5 is also immune, though 3.1.5
has other issues that 3.1.6 resolves -- see
http://online.securityfocus.com/bid/3410 and
http://www.htdig.org/index.html
-Peter
--
Peter Watkins - peterw@tux.org - peterw@usa.net - http://www.tux.org/~peterw/
Private personal mail: use PGP key F4F397A8; more sensitive data? Use 2D123692
