| VID |
210085 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The ht://Dig htsearch CGI is vulnerable to a cross-site scripting vulnerability via the sort parameter. ht://Dig is a freely available, open source search engine software. ht://Dig version 3.2.0b6 is vulnerable to a cross-site scripting vulnerability, caused by improper validation of user-supplied input passed to the 'sort' parameter of the 'htsearch' script. This vulnerability could allow a remote attacker to create a malicious URI link that includes hostile HTML and script code. If this link were to be followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected web site and may allow for theft of cookie-based authentication credentials or other attacks.
* References:
http://sourceforge.net/mailarchive/forum.php?thread_name=200709251310.55835.mskibbe%40suse.de&forum_name=htdig-dev
http://www.frsirt.com/english/advisories/2007/4038
* Platforms Affected:
ht://Dig Group, ht://Dig 3.2.0b6
Linux Any version
Unix Any version |
| Recommendation |
No upgrade or patch available as of June 2014.
As a workaround, edit the source code to ensure that input is properly sanitized. |
| Related URL |
CVE-2007-6110 (CVE) |
| Related URL |
26610 (SecurityFocus) |
| Related URL |
38759 (ISS) |
|
