SyntaxCMS /search/results.php search_query Variable XSS

2005-12-21T09:48:32
ID OSVDB:21859
Type osvdb
Reporter r0t(krustevs@googlemail.com)
Modified 2005-12-21T09:48:32

Description

Vulnerability Description

SyntaxCMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "search_string" variable upon submission to the results.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Technical Description

Successful exploitation requires the use of results.php. The actual problems lie in none_found.tpl and results.tpl. The file that is included depends on whether any results are found for the query. It should also be noted that results.php is generally not part of the requesting URL.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

SyntaxCMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "search_string" variable upon submission to the results.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

/search/?search_query=[XSS]

References:

Vendor URL: http://www.syntaxcms.org/ Secunia Advisory ID:18207 Other Advisory URL: http://pridels.blogspot.com/2005/12/syntaxcms-xss-vuln.html CVE-2005-4496 Bugtraq ID: 16033