Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 Snitz Forums 2000 DEV-Group
 DEV Bug Reports (Closed)
 Topic.asp SearchTerms Bug		  Forum Locked  Topic Locked
 Printer Friendly
Author Previous Topic Topic Next Topic  

Hamlin
Advanced Member

United Kingdom
2386 Posts
Posted - 05 December 2007 :  17:44:05  Show Profile
Line 985
if Request.QueryString("SearchTerms") <> "" then Response.Write("                <input type=""hidden"" name=""SearchTerms"" value=""" & Request.QueryString("SearchTerms") & """>" & vbNewLine)

Replace with
if Request.QueryString("SearchTerms") <> "" then Response.Write("                <input type=""hidden"" name=""SearchTerms"" value=""" & Server.HTMLEncode(Request.QueryString("SearchTerms")) & """>" & vbNewLine)


In my opinion that value of SearchTerms should be sanitised before being written to the page, because of possible cross site scripting issues.

(Apology if this is old, I could not find any reference in the bug forums.)<
Edited by - AnonJr on 17 March 2009 19:10:31

Shaggy
Support Moderator

Ireland
6780 Posts
Posted - 06 December 2007 :  04:03:35  Show Profile
The value in that querystring variable is never passed through to the database, it's just used to highlight search terms in a post so it won't leave you open to an XSS attack. I agree that it should be sanitised, though, just in case there're any mods that use it in a query.

<
Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.”
Edited by - Shaggy on 06 December 2007 04:04:19
Go to Top of Page

Hamlin
Advanced Member

United Kingdom
2386 Posts
Posted - 06 December 2007 :  04:09:54  Show Profile
quote:
Originally posted by Shaggy

The value in that querystring variable is never passed through to the database, it's just used to highlight search terms in a post so it won't leave you open to an XSS attack. I agree that it should be sanitised, though, just in case there're any mods that use it in a query.


But you could use it to pass through some JavaScript, which could then do some funky stuff. You would have to get a user to click the link though, but I still think it's has the potential for problems.

Perhaps I have the wrong idea about XSS, but the ability to create a link that could run random JavaScript code seems a perfect example?<
Edited by - Hamlin on 06 December 2007 04:27:48
Go to Top of Page

Shaggy
Support Moderator

Ireland
6780 Posts
Posted - 06 December 2007 :  04:27:34  Show Profile
Hadn't thought about that, was just thinking about it from a db point of view 'cause of the latest bug.

<
Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.”
Go to Top of Page

Hamlin
Advanced Member

United Kingdom
2386 Posts
Posted - 06 December 2007 :  13:42:31  Show Profile
I've been playing around with this, and although I can create a link that steals the cookie (so in theory can access the site based on the info in that cookie) actually getting a user to click on the link would not be possible via a forum page at least, they would have to go via an outside site.

So not very feasible, pretty fun to play around with though
<
Go to Top of Page

Davio
Development Team Member

Jamaica
12217 Posts
Posted - 07 January 2008 :  15:59:07  Show Profile
Fixed in version 3.4.07.<
Support Snitz Forums
Go to Top of Page
  Previous Topic Topic Next Topic  
 Forum Locked  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.11 seconds. Powered By: Snitz Forums 2000 Version 3.4.07