by r0t,der4444,cembo,VietMafia

Friday, December 16, 2005

Webglimpse XSS vuln.

Webglimpse XSS vuln.
Vuln. discovered by : r0t
Date: 16 dec. 2005
vendor:http://webglimpse.net/
affected version:2.14.1 and prior

Product Description:

Webglimpse can index and search any collection of documents you choose - local files including PDF, MS Word and any others with available filter; and remote files spidered from specified websites. Flexible rules allow you to control output format, ranking of hits, which links are spidered. Language templates include Spanish, German, French, Italian, Norwegian, Finnish, Hebrew, Arabic and more. The core indexing program is in C, and is scalable up to 100s of Gb of data. Web & command line administration interfaces for managing archives. Partnership with SearchFeed allows webmasters to add sponsored links easily to generate revenue from site visitors.


Vuln. Description:

Webglimpse contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "ID" paremter in "webglimpse.cgi" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

example:

/webglimpse.cgi?query=&ID=1[XSS]

Solution:
Edit the source code to ensure that input is properly sanitised.

1 Comments:

Anonymous Golda Velez told...

Believed fixed in v 2.14.5 ; below are diffs. Thanks for the report and any further suggestions welcome!

(Note, I may not check back to this blog, so please use the contact form on http://webglimpse.net to reach me.)

===================================================================
RCS file: /usr/local/cvs/wg2/cgi-bin/webglimpse.cgi,v
retrieving revision 1.65
diff -r1.65 webglimpse.cgi
225a226,230
> # sanitize inputs to avoid XSS vulnerability, except in actual query string
> if ($pname ne 'query') {
> $pvalue =~ s/[\/ ;\[\]\<\>&\t]/_/g;
> }
>
246a252,257
>
> # security check
> # double-check validity of ID - should be numeric
> if ($id !~ /^[0-9]+$/) {
> $id = 0;
> }

10:52 AM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew