Ivan Marković
Security consultant and researcher
Long experience in designing and implementation of security solutions, mainly oriented on web, mobile and embedded applications. Author of penetration testing tools, recognized by OWASP organization and BackTrack Linux distribution. Researching work includes discovery of vulnerabilities of numeral applications and services, and for these, author received public apreciations by Microsoft Company..
sNews "search_query" Cross-Site Scripting Vulnerability
|| Security Net Advisory #D.25.7.06.a
Title : sNews CMS v1.4 XSS injection
Impact : Cross Site Scripting
Type : Remote
Vendor :
- Url : http://www.solucija.com/
- Status: Vendor was first contacted on 25.7.2006.
|| Vulnerability
Input passed to the "search_query" parameters in snews.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session.
|| Solution:
In snews.php already exist function cleanXSS().
|| Contact
Author : Ivan Markovic
Site : www.security-net.biz
http://security-net.biz/adv/D25706a.txt
http://www.securityfocus.com/bid/19156/info
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3916