Trellis Desk v1.0 XSS Vulnerability

2009.03.13

Credit: larry

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

 This problem has been reported to the author but no action taken to resolve the issue.
The search box does not sanitise data and is open to simple XSS SQL injection.
file sources/article.php find around line 519
$searchstring = $this->ifthd->input['keywords'];
Needs to have the following line added after...
$searchstring = mysql_real_escape_string( $searchstring );

References:

http://seclists.org/bugtraq/2009/Mar/0129.html

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Trellis Desk v1.0 XSS Vulnerability

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.