Open Forum...
The Message:
I've noticed that SiteSearch allows potentially malicious code to be embedded in URLs.
To verify the problem try this URL. I have changed the less than and greater than symbols
in the code because I'm afraid of the code running once I've posted it.
/cgi-bin/Search_engine/Scripts/search_engine.cgi?
keywords=testLESSTHANSIGNscript%20language="javascript"GREATERTHANSIGNalert("bad_code_here")
LESSTHANSIGN/scriptGREATERTHANSIGN
Put this code in the address line in your web browser, change the LESSTHANSIGN and
GREATERTHANSIGN text to the appropriate symbol, hit return and you
should get a bad_code_here message box.
An attacker could create a URL pointing to a site using SiteSearch. When an unsuspecting
user clicks the URL, the browser would go to the target site and then something odd might happen.
To the user it'll seem the problem is with the target site, not the link.
Solution: get rid of less than and more than signs in the input?
Phil