by r0t,der4444,cembo,VietMafia

Saturday, December 03, 2005

Solupress News XSS vuln

Solupress News XSS vuln
Vuln. dicovered by : r0t
Date: 3 dec. 2005
Vendor:http://www.inspironetworks.com/solupress/solupress_news.html
affected version:1.0 and prior

Product Description:
Solupress News is a comprehensive online news publishing system. Place news and events online easily, without the need for expensive web developers. Articles can have images, audio, video, and indeed any other type of file uploaded with them. The output is what you'd expect from a professional news web site like the nytimes.com or the latimes.com. The AutoActivation feature in Solupress automatically posts your articles online on the date you specify, so you can have your news web site maintain itself while you're on vacation. In addition, a WAP interface allows mobile device users with Internet access to view news, scores, and events on their devices. Solupress works with either a SQL Server or MS Access database.

Vuln. Description:
Input passed to the "keywords" parameter in "search.asp" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.


example:
/search.asp?option=simple&keywords=%3Cscript
%3Ealert%28%27r0t%27%29%3C%2Fscript%3E&submit1=Find


Solution:
Edit the source code to ensure that input is properly sanitised.

1 Comments:

Blogger M. Marconi told...

This issue has been resolved in the new version. Please visit site: www.solupress.com

3:17 AM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew