BXR
Bug #201
Vulnerability: HTB22505
| Status: | Closed | Start: | 07/22/2010 | |
| Priority: | Urgent | Due date: | ||
| Assigned to: | - | % Done: | 100% |
|
| Category: | - | Spent time: | - | |
| Target version: | 0.6.9 | |||
Description
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerability exists due to failure in the /search/show_results script to properly sanitize user-supplied input in "search[query]" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
An attacker can use browser to exploit this vulnerability. The following PoC is available:<form action="http://host/search/show_results" method="post" name="main" > <input type="hidden" name="search_type" value="filename" /> <input type="hidden" name="search[query]" value='1"><script>alert(document.cookie)</script>' /> <input type="hidden" name="commit" value="Find!" /> </form> <script> document.main.submit(); </script>
History
Updated by Dave Hulihan 45 days ago
- Status changed from New to Closed
- % Done changed from 0 to 100
I've sanitized the user-inputted search query in app/views/search/show_results.html.erb by using Rails' native h function, on line 3:
<i>Your query "<%= h @search_query %>" produced <%= @result.size %> result(s)</i><br>