Bug: Sphider 1.3.4 Cross Site Scripting (WLB-2008110139 Ascii Version)

English Version
WLB2

CVE WLB2

WLB2
Full List
Bugs
Bogus
Tricks
Exploits
CVE MAP
Full List
Vendors
Products
Tools
CWE Dictionary
Google Hacking
Search
General
CVE
CWE
RSS
Full List
Bugs
Exploits
Dorks
Information
Our services
Add note
About
Submit

To add a note,

use this form

or send email to

submit@cxsecurity.com

When contacting via email, we recommend coded messages.

Get our PGP public key

 Topic: Sphider 1.3.4 Cross Site Scripting
 Credit: Christian Holler
 Date: 2008.11.25
 CWE: CWE-79 (Show similar)
 CVE: CVE-2008-5211 (Show details)

Use CVE to see details like:
- CVSS2,
- Affected Software,
- References

Risk
Local
Remote
Low
No
Yes

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

Sphider Cross Site Scripting Vulnerability

Original release date: 2008-04-29

Last revised: 2008-05-06

Latest version: http://users.own-hero.net/~decoder/advisories/sphider134-xss.txt

Source: Christian Holler <http://users.own-hero.net/~decoder/>

Systems Affected:

Sphider 1.3.4 (http://www.sphider.eu/) - A PHP Search Engine

Severity: Moderate

Overview:

Sphider is a search engine that has several features; one is a search suggestion

feature as in "Did you mean xyz?" that corrects possible typos in your search,

without however sanitizing this output. This feature is off by default, but

turned on by many sites for convenience.

I. Description

The output of the suggestion feature in Sphider does output the complete query

if there is at least one word in this query that has the script has found a

possible correction for. This word is highlighted and the rest of the search

query is returned as it is. However, this output is completely unsanitized,

allowing HTML/Javascript to be included.

II. Impact

Depending on the site where this search script is deployed, this attack can be

used to steal cookies from other users by tricking them into visiting a given

URL.

III. Proof of concept

search.php?query=xsss%20%3Cscript%3Ealert('HELLO');%3C/script%3E&search=
1

where the first word in the query, "xsss" is a word that can be corrected by

the search script. This generally depends on the indexed site(s) but such a

word is very easy to find.

IV. Solution

Currently none, author has been informed.

Timeline:

2008-04-29: Author informed

2008-05-06: Vulnerability notice published

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2.0.6 (GNU/Linux)

iD8DBQFIIMGYJQIKXnJyDxURAm44AJ9JbT+63Krpg95BZatccKal29DhkwCgoAE9

eNhj/JgskwQVKgmdnFBEVG0=

=DZrL

-----END PGP SIGNATURE-----

References:

http://xforce.iss.net/xforce/xfdb/42240
http://www.securityfocus.com/bid/29074
http://www.securityfocus.com/archive/1/archive/1/491712/100/0/threaded
http://users.own-hero.net/~decoder/advisories/sphider134-xss.txt
http://secunia.com/advisories/30082

[ ASCII VERSION ]
Copyright 2012, cxsecurity.com