Main
Index 		Search
Posts 		Who's
Online 		Log
In

Home: Discontinued/Classic Products: Listings Manager (Realty Manager & Auto Manager):
XSS/RFI Script Security Vulnerability - HELP

 
 


mark99
User

Jun 29, 2009, 6:41 AM

Post #1 of 4 (4793 views)
Shortcut
XSS/RFI Script Security Vulnerability - HELP Can't Post
Hacker informed me that the latest (last) release of this script has an XSS or RFI vulnerability and offered the following example URL (my domain removed for security):

http://www.MYSITE.com/cgi-bin/listman/exec/search.cgi?search=1&template=%3Cb%3Elol%3C/b%3E_search.html&perpage=20&marknew=5&sort_order=1%2Cabc%2Cforward&euro_numbers=0&lfield1_keyword=%3Cb%3Elol%3C%2Fb%3E&search=Search

Not quite sure about this but he found others in different scripts on the site too and they checked out so..


Dave
Staff / Moderator


Jun 29, 2009, 5:00 PM

Post #2 of 4 (4789 views)
Shortcut
Re: [mark99] XSS/RFI Script Security Vulnerability - HELP [In reply to] Can't Post
Hi mark99,

There's two types of data in that url that they are trying to exploit. The "template" filename and the "keyword".

For the template, only valid templates will work. If you specify another file path you'll get an error like this "Template : Template cell 'not_found' is not defined!".

For the field1_keyword, it will pass that information through in the prev/next page links, but I don't see a XSS issue.

My guess is they ran an automated scanning tool on your site that reports anything that looks suspicious and emails you. Are they asking for money?

In any case, I think you're ok with this one. But feel free to email me direct at dave@interactivetools.com if you have any further concerns or see anything else that looks like it might be a problem.

Hope that helps!

Dave Edis - Senior Developer
interactivetools.com
 


mark99
User

Jun 29, 2009, 11:26 PM

Post #3 of 4 (4787 views)
Shortcut
Re: [Dave] XSS/RFI Script Security Vulnerability - HELP [In reply to] Can't Post
But since I use custom templates for different categories and they show up in the custom URLs because there's no other way to do it then does this not represent a problem?


Dave
Staff / Moderator


Jun 29, 2009, 11:56 PM

Post #4 of 4 (4786 views)
Shortcut
Re: [mark99] XSS/RFI Script Security Vulnerability - HELP [In reply to] Can't Post
No, because the script will generate an error if it doesn't find the template tags in the file. So there is no way to view or access any files on the server that aren't meant to be search results templates.

Dave Edis - Senior Developer
interactivetools.com