Vivísimo Content Engine Search Parameter XSS

2003-10-20T09:34:42
ID OSVDB:2701
Type osvdb
Reporter OSVDB
Modified 2003-10-20T09:34:42

Description

Vulnerability Description

Vivismo Content Engine contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "query" variable upon submission to the search script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): filter incoming URLs

Short Description

Vivismo Content Engine contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "query" variable upon submission to the search script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

http://vulnserver.com/search?query=<script>alert(document.domain)</script>

References:

Vendor URL: http://vivisimo.com/ Secunia Advisory ID:10033