Vulners
Lucene search
CyberKendra Search Bar Cross Site Scripting
🗓️ 23 Jun 2013 00:00:00Reported by Prakhar PrasadType 
packetstorm🔗 packetstormsecurity.com👁 15 Views
`[RHA InfoSec] CyberKendra Search Bar Script DOM Based XSS Vulnerability
Details
=============
Risk: Moderated
Vendor-URL: http://www.cyberkendra.com/
Credits
=============
Discovered by: Rafay Baloch And Prakhar Prasad of RHA InfoSec
Blog: http://rafayhackingarticles.net
Description
============
Cyber Kendra wrote a custom search script that allowed the users to easily
search for
stuff on their website.
Vulnerability Details
======================
The vulnerability is a DOM Based xss vulnerability, as our payload was
being embedded into the
DOM and was being returned to the user without proper escaping which
resulted in a DOM Based XSS.
The showresult Function contained the following code, where the input was
being executed
via innerhtml without being sanitised. The skeleton is our user
controllable parameter.
skeleton="<h4>"+config.resultTitle+" ""+input.value+""</h4>"
resultContainer.innerHTML=skeleton;
Fix
===
We reported the vulnerability to CyberKendra team and also pointed to the
vulnerable code.
However, instead of fixing it, they just removed the whole search script.
--
Warm Regards,
Rafay Baloch
http://rafayhackingarticles.net
http://techlotips.com
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Jun 2013 00:00Current