by r0t,der4444,cembo,VietMafia

Monday, December 05, 2005

Hot Links Pro 3.x XSS vuln.

Hot Links Pro 3.x XSS vuln.
Vuln. dicovered by : r0t
Date: 5 dec. 2005
vendor:http://www.mrcgiguy.com/hl3details.shtml
affected version:3.x and prior

Product Description:
* Directory style index allows for easy navigation
* Does not require MySQL, MS Access, or any other database software. Hot Links Pro uses it's own integrated flat-file database system.
* Out going hits are recorded creating a popular links list and displaying a cumulative hit count which is also used to build a Hot Links Page.
* You control how many links to display on the popular links list
* You control how many hits a site must have before being listed on the Hot Links Page
* Cheat protection using IP address for outgoing hits (1 hit per IP per day)
* Duplicate link verification (Now has option to disable, or to losen the restrictions to allow duplicates as long as they're in seperate categories).
* Easily edit the look of your directory without having to pick through any of the PERL code. Header and footer HTML is kept in seperate text files.
* Will run on most servers with Perl 5.x and SendMail installed. Recommended for Unix/Linux or WinNT.
* Features an easy to edit language file that makes translating the script into other languages painless.
* New split page listings, break up longer category listings for easier navigation.
* Create infinite subcategory levels.
* Most recent listings display right on the index page. You control how many to show.
* Searchfeed.com Results Integration. Share revenue from this PPC giant by incorporating their feed into your directory



Vuln. description:

Input passed to the parameter in "search.cgi" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution:
Edit the source code to ensure that input is properly sanitised.

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew