by r0t,der4444,cembo,VietMafia

Thursday, December 01, 2005

Interspire FastFind 2005 XSS vuln.

Interspire FastFind 2005 XSS vuln.

Vuln. dicovered by : r0t
Date: 1 dec. 2005
Vendor:http://www.interspire.com/fastfind/
affected version: 2005 and 2004 version.

Product Description:
Add powerful, flexible search to your site in minutes. FastFind is the leading PHP search engine, featuring: point and click web based interface, simple 3 step installation wizard, 100% rebrandable, automated scheduling, advanced filtering, and much, much more. Download Interspire FastFind 2005 now and have search setup on yours/your clients site in minutes!


Vuln. Description:
Input passed to the "query" parameter isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

example:
/?query=%3Cscript%3Ealert%28%27r0t%20
love%20XSS%27%29%3C%2Fscript%3E&type=
advanced&results=20&searchType=1

Solution:
Edit the source code to ensure that input is properly sanitised.

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew