40229 : ht://dig htsearch sort Variable XSS
Printer | http://osvdb.org/40229 | Email This | Edit Vulnerability

Views This Week
23

Views All Time
512

Info

Last Modified
3 months ago

Percent Complete
100%

Disclosure
Nov 27, 2007

Discovery
Unknown

Dates

Exploit
Nov 27, 2007

Solution
Unknown

Description

 ht://Dig contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'sort' variable upon submission to the htsearch script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

 Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Third Party Solution
Exploit: Exploit Available
OSVDB: Web Related

Solution

 Currently, there are no known upgrades, patches, or workarounds available to correct this issue. However, several vendors have independently released their own patches to address this issue.

Products
The ht://Dig Group
Watch-list
ht://Dig
Watch-list
 3.2.0b6

References

Tools & Filters

Nessus

 28334 28344 28346 29198 29204 29337 29461

Manual Testing Notes

Credit
  • Michael Skibbe -

Blogs

Provided by Technorati

2007/12/09 03:28:11 | 1095

from: 2008buydigitalcamera.com

1095 December 8th, 2007 >> 1095 - Wikipedia, the free encyclopedia Events. The country of Portugal is established for the second time ... 2007:1095 Moderate. >> RHSA-2007-1095: htdig (CVE-2007-6110) Users of htdig are advised

2007/11/23 00:00:00 | CVE-2007-6110

from: National Vulnerability Database

CVE-2007-6110 Publish Date: 11/23/2007 Cross-site scripting (XSS) vulnerability in htsearch in htdig 3.2.0b6 allows remote attackers to inject arbitrary web script or HTML via the sort parameter.

2007/12/11 22:11:48 | [SECURITY] [DSA 1429-1] New htdig packages fix cross site scripting

from: HostLix.de

[SECURITY] [DSA 1429-1] New htdig packages fix cross site scripting Debian Security Advisories Kein Kommentar ยป Package : htdig Vulnerability : cross site scripting Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-6110 Debian Bug : 453278 Michael Skibbe discovered that htdig, a WWW search system for an intranet or small

Comments

Add Comment

No Comments.

DONATE NOW!

User Status

Quick Searches

Advertisements

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

© Copyright 2008 Open Source Vulnerability Database (OSVDB), All Rights Reserved.
Privacy Statement - Terms of Use