Non-persistent XSS in BizDir
Summary
- Vulnerability
- Non-persistent XSS in BizDir
- Discovered
- 2010.11.29
- Last Update
- 2010.12.10 Solution updated.
- ID
- EV0158
- CVE
- n/a
- Risk Level
- low
- Type
- Cross Site Scripting
- Status
- Fixed. Patched version is available.
- Vendor
- LEXIPIXEL (http://www.lexipixel.com/)
- Vulnerable Software
- BizDir
- Version
- v.05.10
- PoC/Exploit
- Available
- Solution
- Available
- Discovered by
- Aliaksandr Hartsuyeu (eVuln.com)
Description
Cross Site Scripting found in BizDir script.
- Non-persistent XSS
- It is possible to inject xss code into f_srch parameter in bizdir.cgi script.
Parameter f_srch is not properly sanitized before being used in HTML code.
PoC/Exploit
Non-persistent XSS Example.
XSS example: http://website/cgi-bin/bizdir/bizdir.cgi?f_mode=srch& f_srch=<XSS inj>&f_srch_mode=SOME&f_start_at=1
Solution.
Vendor reported that code was fixed.
Update to 2010-12-09 patched v5.10 script.