Looking under the hood? Interested in a job? Send a mail....

Silva Security Bulletin: Potential security issue with Silva Find

Publication date: 7.November.2008, 10:42

7 November 2008 – We have had a security issue brought to our attention by Russ McRee from HolisticInfoSec.org that potentially affects all Silva installations that include the Silva Find extension. This advisory should prompt an update if Silva Find is in use on your site.

The issue

Silva Find 1.1.5 and earlier contain a flaw that allows remote cross site scripting. Cross-site scripting occurs where the "fulltext" variable doesn’t properly sanitize input upon submission to the search script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user’s browser within the trust relationship between the browser and the server, leading to a loss of integrity.

It is important to update your installation(s) as soon as possible.

The fix

Deploy the relevant version of Silva Find to your site. In fact you only need to update Silva Find, but the fix is contained in the following ‘silva-all’ releases:

https://infrae.com/download/Silva/2.1.0.2/Silva-2.1.0.2-all.tgz
https://infrae.com/download/Silva/2.0.12.2/Silva-2.0.12.2-all.tgz
https://infrae.com/download/Silva/1.6.3.2/Silva-1.6.3.2-all.tgz

We sincerely apologize for the inconvenience this undoubtedly causes for some of you.

More information

Link to Advisory: http://holisticinfosec.org/content/view/91/45/

FMI contact Eric Casteleijn, eric at infrae com, +31 10 243 7051.