← Back to team overview

team4alfanous team mailing list archive

  1. team4alfanous team
  2. Mailing list archive
  3. Message #00020

Re: [Bug 939115] Re: the url "http://alfanous.org/?search=" does not filter input and accepte js code

  Thread PreviousDate PreviousThread Next 
THanks for your reply,
In my opinion we have more to protect than a cookie or a user account, it's
abount
the integrity of data (quoran) and because the injection can be made in the
url so
someone can manipulate a search result and make it like alfenous did it or
use alfanous
as a proxy to hurt other website and be blacklisted in search engine, so
you chouse
about it, and finaly it's not that hard to be corrected, so it's apt to you
to think that it's
juste my opinion and not a security bug.
Good luck.

2012/2/23 Assem Chelli (عاصم شلي) <assem.ch@xxxxxxxxx>

> Thank you for submitting
> The website's  "search" request is a completely client-side , there are no
> user login, no login cookies to be token.  Have you an example how to
> exploit this to do something harmful?
>
>
> ** Changed in: alfanous
>       Status: New => Opinion
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/939115
>
> Title:
>  the url "http://alfanous.org/?search="; does not filter input and
>  accepte js code
>
> Status in Alfanous  - Advanced Quranic Search Engine:
>  Opinion
>
> Bug description:
>  When some one do a search like http://alfanous.org/?search="test"; the
> word test is
>  printed in the page without proper encoding and the parameter search does
> not filter
>  what it take as kayword, example if you replace "test" by
> "<script>alert(1)</script>"
>  you'll see the result, so the website is vulnerable to the most basic xss
> attack.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/alfanous/+bug/939115/+subscriptions
>

-- 
You received this bug notification because you are a member of Alfanous
team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/939115

Title:
  the url "http://alfanous.org/?search="; does not filter input and
  accepte js code

Status in Alfanous  - Advanced Quranic Search Engine:
  Opinion

Bug description:
  When some one do a search like http://alfanous.org/?search="test"; the word test is 
  printed in the page without proper encoding and the parameter search does not filter
  what it take as kayword, example if you replace "test" by "<script>alert(1)</script>"
  you'll see the result, so the website is vulnerable to the most basic xss attack.

To manage notifications about this bug go to:
https://bugs.launchpad.net/alfanous/+bug/939115/+subscriptions

References

  Thread PreviousDate PreviousThread Next