yacyXSS.txt

2005-01-01T00:00:00
ID PACKETSTORM:35542
Type packetstorm
Reporter Donato Ferrante
Modified 2005-01-01T00:00:00

Description

                                        
                                            `  
Donato Ferrante  
  
  
Application: yacy  
http://www.yacy.net  
  
Version: 0.31  
  
Bug: cross site scripting  
  
Date: 24-Dec-2004  
  
Author: Donato Ferrante  
e-mail: fdonato@autistici.org  
web: www.autistici.org/fdonato  
  
  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
  
1. Description  
2. The bug  
3. The code  
4. The fix  
  
  
  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
  
----------------  
1. Description:  
----------------  
  
Vendor's Description:  
  
"YACY: a Java Freeware Open-Source Caching HTTP Proxy and Global  
P2P-Based Search Engine"  
  
  
  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
  
------------  
2. The bug:  
------------  
  
The input strings, into some field, are not filtered by the server so  
they will appear in the returned page.  
  
  
  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
  
-------------  
3. The code:  
-------------  
  
To test the vulnerability, try for example:  
  
1.  
http://[host]:8080/index.html?urlmaskfilter=[XSS]  
-  
2.  
http://[host]:8080/Wiki.html?page=[XSS]  
-  
  
  
  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
  
------------  
4. The fix:  
------------  
  
Bug fixed in the version 0.32.  
  
  
  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
`