[VIM] Verified EveryAuction "searchstring" XSS

Steven M. Christey coley at mitre.org
Wed Dec 14 01:54:40 EST 2005

I verified the EveryAuction "searchstring" via source inspection in
auction.pl of EveryAuction version 1.53:

>local %form = &get_form_data;
>if ($form{'action'} eq 'new') { &new; }
>elsif ($form{'action'} eq 'search') { &procsearch; }
>sub procsearch {
>	print "<H2>Search Results - $form{'searchstring'}</H2>\n";

get_form_data() just does basic URL conversion.

Enlightened disinterest behooves me to speak not of additional likely
issues discovered during verification.

- Steve

More information about the VIM mailing list