by r0t,der4444,cembo,VietMafia

Thursday, December 22, 2005

WANDSOFT e-SEARCH XSS vuln.

WANDSOFT e-SEARCH XSS vuln.

Vuln. discovered by : r0t
Date: 22 dec. 2005
vendor:http://www.wandsoft.com/products/
affected version:latest and its also used as search module for WANDSOFT e-Suite 4 and prior.

Product Description:

The WANDSOFT e-SEARCH function allows the content of your website, extranet or intranet to be indexed, so users can find a specific word or topic without having to browse the entire site. Any changes to the site content are automatically updated in the site index, so that WANDSOFT e-SEARCH will always include the latest information in the search results.

The WANDSOFT e-SEARCH functionality enables you to provide better customer care and to reduce the possible frustration of your website visitors – even novice users will be able to locate and go directly to the area they seek immediately.

Why Use WANDSOFT e-SEARCH?

As well as the benefits of using any WANDSOFT e-Suite module, the particular benefits of using WANDSOFT e-SEARCH are:

- Your customers will be delighted to quickly locate the information or page they seek
- Website visitors will remember a positive experience, reflecting well on your organisation
- No training is required; once installed, the WANDSOFT e-SEARCH functionality is automatic


Vuln. Description:

The WANDSOFT e-SEARCH contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


Solution:
Edit the source code to ensure that input is properly sanitised.

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew