PassMark Logo
Home » Forum

Announcement

Collapse
No announcement yet.

Search CGI executing arbitrary code?

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Search CGI executing arbitrary code?

    A friendly (we think) user sent us a link in which ran a search with a string that was a piece of arbitrary javascript, as in, ?zoom_query=<script>Alert('hi')</script>. One team-member ran it and, while doing no harm, it got stuck in Firefox sufficient to require an uninstall/reinstall.

    The implication was obviously that more harmful code could have been run. Possibly it's a cgi configuration issue rather than Zoom but perhaps there are some config options you could alert us to?

    Thanks,



    Stewart Wallace
    Tags: None
  • #2
    I think you must be confused or running a very very old release of the CGI.

    Here is the same query in the CGI on our server,
    http://www.wrensoft.com/cgi-bin/search.cgi?zoom_query=<script>Alert('hi')</script>

    The script is not executed.
    (And even if it was, there is no possible way it would result in needing to re-install Firefox)

    Comment

    • #3
      Nevertheless, that's exactly what happened. Our server was setup a bit over 2 years ago. I gather there's nothing in the configuration of Zoom itself we should check to stop this behaviour?

      Thanks,




      Stewart Wallace
      0417 420 155

      Comment

      • #4
        Check which version of Zoom you are using. Click "help"->"about" in the Indexer.

        Update to the latest:
        http://www.wrensoft.com/zoom/whatsnew.html

        If you are still experiencing problems, make sure you are updating all the files listed at the end of indexing, including "search.cgi" and you're not using an older copy of the file.
        --Ray
        Wrensoft Web Software
        Sydney, Australia
        Zoom Search Engine

        Comment

        Previous template Next
        Working...
        X