[VIM] My Amazon Store Manager 1.0 - q or Keywords parameter?

Steven M. Christey coley at mitre.org
Mon Jan 23 13:52:03 EST 2006

Lovely little provenance issue for us ignorant types.



These VDBs claim that the affected parameter is "q".

I can't figure out where the VDBs got this, since there is no original
raw report.  OSVDB thankfully has an archive of the notification here:


but it contains this demonstration URL:


No "q" in sight.

What gives?

- Steve

Name: CVE-2006-0334
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0334
Reference: MISC:http://osvdb.org/ref/22/22626-my_amazon.txt
Reference: BID:16312
Reference: URL:http://www.securityfocus.com/bid/16312
Reference: FRSIRT:ADV-2006-0252
Reference: URL:http://www.frsirt.com/english/advisories/2006/0252
Reference: OSVDB:22626
Reference: URL:http://www.osvdb.org/22626
Reference: SECUNIA:18535
Reference: URL:http://secunia.com/advisories/18535

Cross-site scripting (XSS) vulnerability in search.php in My Amazon
Store Manager 1.0 allows remote attackers to inject arbitrary web
script or HTML via the Keywords parameter.  NOTE: some sources claim
that the affected parameter is "q", but the only public archive of the
original researcher notification shows an XSS manipulation in

More information about the VIM mailing list