[VIM] Verified EveryAuction "searchstring" XSS
Steven M. Christey
coley at mitre.org
Wed Dec 14 01:54:40 EST 2005
I verified the EveryAuction "searchstring" via source inspection in
auction.pl of EveryAuction version 1.53:
>local %form = &get_form_data;
>if ($form{'action'} eq 'new') { &new; }
>...
>
>elsif ($form{'action'} eq 'search') { &procsearch; }
>
>...
>
>sub procsearch {
> print "<H2>Search Results - $form{'searchstring'}</H2>\n";
get_form_data() just does basic URL conversion.
Enlightened disinterest behooves me to speak not of additional likely
issues discovered during verification.
- Steve
More information about the VIM
mailing list