| VID |
21398 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The ht://Dig htsearch CGI is vulnerable to a cross-site scripting attack.
ht://Dig is a freely available, open source search engine software. ht://Dig versions 3.1.6 and earlier are vulnerable to a cross-site scripting attack, caused by improper handling of user-supplied input in the 'words' variable of the htsearch.cgi script. This could allow a remote attacker to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server.
* References:
http://www.osvdb.org/displayvuln.php?osvdb_id=7590
http://www.securityfocus.com/archive/1/279568
* Platforms Affected:
ht://Dig Group, ht://Dig 3.1.6 and earlier
Linux Any version
Unix Any version |
| Recommendation |
Upgrade to the latest version of ht://Dig (3.2.0b6 or later), available to the ht://Dig Web site at http://www.htdig.org/ |
| Related URL |
CVE-2002-2010 (CVE) |
| Related URL |
5091 (SecurityFocus) |
| Related URL |
9433 (ISS) |
|
