team4alfanous team mailing list archive

Thread
Date

[Bug 939115] Re: the url "http://alfanous.org/?search=" does not filter input and accepte js code

To: team4alfanous@xxxxxxxxxxxxxxxxxxx
From: Assem Chelli (عاصم شلي) <assem.ch@xxxxxxxxx>
Date: Thu, 23 Feb 2012 08:07:21 -0000
Reply-to: Bug 939115 <939115@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Thank you for submitting
The website's  "search" request is a completely client-side , there are no user login, no login cookies to be token.  Have you an example how to exploit this to do something harmful?


** Changed in: alfanous
       Status: New => Opinion

-- 
You received this bug notification because you are a member of Alfanous
team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/939115

Title:
  the url "http://alfanous.org/?search="; does not filter input and
  accepte js code

Status in Alfanous  - Advanced Quranic Search Engine:
  Opinion

Bug description:
  When some one do a search like http://alfanous.org/?search="test"; the word test is 
  printed in the page without proper encoding and the parameter search does not filter
  what it take as kayword, example if you replace "test" by "<script>alert(1)</script>"
  you'll see the result, so the website is vulnerable to the most basic xss attack.

To manage notifications about this bug go to:
https://bugs.launchpad.net/alfanous/+bug/939115/+subscriptions

Follow ups

Re: [Bug 939115] Re: the url "http://alfanous.org/?search=" does not filter input and accepte js code
From: z, 2012-02-23

References

[Bug 939115] [NEW] the url "http://alfanous.org/?search=" does not filter input and accepte js code
From: z, 2012-02-22