[VIM] My Amazon Store Manager 1.0 - q or Keywords parameter?

security curmudgeon jericho at attrition.org
Thu Jan 26 22:30:50 EST 2006


: Refs:
: 
: BID:16312
: FRSIRT:ADV-2006-0252
: SECUNIA:18535
: OSVDB:22626
: 
: Issue:
:   
: These VDBs claim that the affected parameter is "q".
: 
: I can't figure out where the VDBs got this, since there is no original
: raw report.  OSVDB thankfully has an archive of the notification here:
: 
:   MISC:http://osvdb.org/ref/22/22626-my_amazon.txt
: 
: but it contains this demonstration URL:
: 
:   [hostname]musicstore/index.php?Operation=ItemSearch&Keywords="><script>alert(document.cookie)</script>&SearchIndex='
: 
: No "q" in sight.
: 
: What gives?

For OSVDB, this was us trusting Secunia since they tend to dig into some 
vulns more than we do. They reported 'q' which we trusted as the 
underlying issue. 

I'm going to change it back to Keywords until Secunia can confirm this. 
Bad move on my part originally.


More information about the VIM mailing list