Silva Security Bulletin: Potential security issue with Silva Find
Publication date: 7.November.2008, 10:42
7 November 2008 – We have had a security issue brought to our attention by Russ McRee from HolisticInfoSec.org that potentially affects all Silva installations that include the Silva Find extension. This advisory should prompt an update if Silva Find is in use on your site.
Silva Find 1.1.5 and earlier contain a flaw that allows remote cross site scripting. Cross-site scripting occurs where the "fulltext" variable doesn’t properly sanitize input upon submission to the search script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user’s browser within the trust relationship between the browser and the server, leading to a loss of integrity.
It is important to update your installation(s) as soon as possible.
Deploy the relevant version of Silva Find to your site. In fact you only need to update Silva Find, but the fix is contained in the following ‘silva-all’ releases:
We sincerely apologize for the inconvenience this undoubtedly causes for some of you.
Link to Advisory: http://holisticinfosec.org/content/view/91/45/