Re: [htdig] Cert Advisory


Subject: Re: [htdig] Cert Advisory
From: Gilles Detillieux (grdetil@scrc.umanitoba.ca)
Date: Fri Feb 04 2000 - 11:25:32 PST


According to Brett Dikeman:
> I just tried using HTML tags in the input field to the default
> search form supplied and htdig promptly ignored the <>'s and treated
> the tags like they were keywords.
>
> Brett
>
> At 1:50 PM -0500 2/4/00, Julie Shaw wrote:
> >Has the htdig code been been re-examined in light of the
> >lastest CERT advisory on the cross-site scripting issue?
> >
> >http://www.cert.org/advisories/CA-2000-02.html
> >
> >
> >In particular, the input to htsearch?

I haven't taken a really good look, but I think there may be some issues
to deal with. I think right now, there are potential problems if you
embed quotes in the "words" field, because they show up unencoded in
the followup search form. I think that could open up a can of worms.

I expect that other input parameters, like restrict and exclude, may have
similar problems. I'd also think that careless use of the allow_in_form
attribute could open up all sorts of problems, from allowing users to
change attributes they really shouldn't have access to, to allowing the
insertion of HTML tags in the output.

-- 
Gilles R. Detillieux              E-mail: <grdetil@scrc.umanitoba.ca>
Spinal Cord Research Centre       WWW:    http://www.scrc.umanitoba.ca/~grdetil
Dept. Physiology, U. of Manitoba  Phone:  (204)789-3766
Winnipeg, MB  R3E 3J7  (Canada)   Fax:    (204)789-3930

------------------------------------ To unsubscribe from the htdig mailing list, send a message to htdig-unsubscribe@htdig.org You will receive a message to confirm this.



This archive was generated by hypermail 2b28 : Fri Feb 04 2000 - 11:27:31 PST