eXtropia: the open web technology company
Technology | Support | Tutorials | Development | About Us | Users | Contact Us
Development resources
 ::   WebWare 2.1 (Perl)
 ::   WebWare 2.0 (Java)
 ::   Cool hacks
cool hacks
Site Search for phrases  
posted the following security warning on our Open Forum...

The Message:


  I've noticed that SiteSearch allows potentially malicious code to be embedded in URLs.  
  To verify the problem try this URL.  I have changed the less than and greater than symbols 
  in the code because I'm afraid of the code running once I've posted it.  

  http://www.extropia.com/cgi-bin/Search_engine/Scripts/search_engine.cgi?
  keywords=testLESSTHANSIGNscript%20language="javascript"GREATERTHANSIGNalert("bad_code_here")
  LESSTHANSIGN/scriptGREATERTHANSIGN

  Put this code in the address line in your web browser, change the LESSTHANSIGN and 
  GREATERTHANSIGN text to the appropriate symbol, hit return and you 
  should get a bad_code_here message box.

  An attacker could create a URL pointing to a site using SiteSearch.  When an unsuspecting 
  user clicks the URL, the browser would go to the target site and then something odd might happen.  
  To the user it'll seem the problem is with the target site, not the link.

  Solution: get rid of less than and more than signs in the input?

  Phil