by r0t,der4444,cembo,VietMafia

Thursday, December 01, 2005

Extreme Search Corporate Edition 6.x XSS vuln.

Extreme Search Corporate Edition 6.x XSS vuln.
Vuln. dicovered by : r0t
Date: 1 dec. 2005
Vendor:http://www.extremecorporate.com/index-new.html
affected version:6.0 and prior

Product Description:
Power your web site with this premium pay per click search engine. This internet software is a combination of fast php code and the very secure perl code. It features an expansive category editor section and seperate affiliate program section.

Vuln. Description:
Input passed to the "search" parameter in "extremesearch.php" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

example:
/search/extremesearch.php?search=%3Cscript%3E
alert%28%27r0t+XSS%27%29%3C%2Fscript%3E&lang=


Solution:
Edit the source code to ensure that input is properly sanitised.

2 Comments:

Anonymous Anonymous told...

This security issue has long been addressed. I have tried it and it doesn't work.

2:05 AM

 
Blogger alberthaanstra told...

I Like your blog! Do you make money with it? data entry

4:27 AM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew