by r0t,der4444,cembo,VietMafia

Monday, November 28, 2005

Google API Search XSS vuln.

Google API Search XSS vuln.
Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:http://www.wwwsearchsolutions.com/google.php
affected version:v1.3.1 and prior

Product Description:
With this script you can be up and running your own Google search engine in just seconds! The Google Search Script uses the Google web API, PHP, and nusoap to get results for your site. Just upload your files, enter your web sites title, Google Key, and you are up and running. The script displays search results 10 per page, supports google's suggested spellings, lets you search just you sites google listing, return result in just your language, compress HTML output, and is 100% template based.

Vuln. description:
Input passed to the "REQ" parameter in "index.php" when performing a search isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

example:
/index.php?REQ=
%3Cscript%3Ealert('r0t%20XSS')%3C/script%3ESubmit=Submit

Solution:
Edit the source code to ensure that input is properly sanitised.

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew