Snitz Forums 2000 - (v3.4.03) Security Related BUG+FIX: search.asp

Snitz Forums 2000

Username:	Password:
Save Password
Forgot your Password?

All Forums

Snitz Forums 2000 DEV-Group

DEV Bug Reports (Closed)

(v3.4.03) Security Related BUG+FIX: search.asp

Forum Locked

Topic Locked

Printer Friendly

Author

Topic

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 16 June 2003 : 21:30:31

search.asp

around line #640 find the following:

			"                <td bgColor=""" & strPopUpTableColor & """ align=""left"" valign=""middle""><input type=""text"" name=""Search"" size=""40"" value=""" & Request.QueryString("Search") & """><br />" & vbNewLine & _

replace that entire line with this:

			"                <td bgColor=""" & strPopUpTableColor & """ align=""left"" valign=""middle""><input type=""text"" name=""Search"" size=""40"" value=""" & trim(ChkString(Request.QueryString("Search"),"display")) & """><br />" & vbNewLine & _

favorini
Starting Member

USA
27 Posts

Posted - 16 June 2003 : 23:00:53

Richard,

You can still do something like this:

/search.asp?Search=mouse%20here"%20onmouseover="alert('hi');

This is because ChkString(Request.QueryString("Search"),"display") doesn't encode double quotes. Any reason for it not to?
OK, just noticed there is chkString(Request.Form("Search"),"search") which is used around line 808. Would this be better for the new fix as well?

-Francis

Edited by - favorini on 17 June 2003 00:23:13