A recent Google search on SiteSearch Indexer has revealed to me that SiteSearch Indexer has been wrongly accused of a vulnerability to something known as the 'XSS hack'. XSS is an abbreviation for 'cross site scripting', but this accusation is unfounded. Sites reporting this 'problem' usually state:
SiteSearch Indexer contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "searchField" paremeter in "searchresults.asp" isn't properly sanitised before being returned to the user. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
This accusation refers to the search results page, and not the SiteSearch Indexer application itself. The claim is that the search results page does not adequately filter against malicious user input.
How the XSS hack works:
A malicious user enters some JavaScript or VBScript code into a text field on a website and submits a form. This form generates either an html web page, or a link displayed in a web page. This link is where the danger lies. The url of this link may be crafted to execute some client-side javascript that could steal cookie data from that website and send it to third parties, possibly leading to 'account hijacking'. Of course this url may also send you to a site that might expose you to some form of spyware attack.
Why the XSS hack does not apply to SiteSearch Indexer:
This does not apply to SiteSearch Indexer because the form submission does not create any permanent pages or urls that might be left on a website for another user to encounter. If a user conducts a search on your website, the list of urls generated is not written or stored anywhere - it is temporary and exists only in memory. A user will not encounter results from another user's search. Nothing gets written to a database, text file, cookie, or otherwise that may be retrieved later.
Why was SiteSearch Indexer accused of this vulnerability?
Because users type their search terms into a text field, and the results of that search are displayed on the resulting page, SiteSearch may have appeared to be a candidate for the XSS hack. This is the result of a misunderstanding or generalization, and possibly generated by one of SiteSearch Indexer's desperate competitors.
Although the XSS hack does not apply to SiteSearch Indexer, SiteSearch Indexer may also have been singled out because it did not perform the kind of user-input 'sanitizing' required for sites that are vulnerable to the XSS attack. So in hopes to finally put this issue to rest, the following search scripts have been updated to perform the reccomended user-input 'sanitizing':
If you have been an exisiting user of SiteSearch Indexer 3.x prior to June 19th 2006 and would like to have piece of mind regarding this issue, click on the link above to download a zip file containing the file appropriate to your search solution. Or just download and reinstall SiteSearch Indexer and your existing configurations and registration information will be preserved. 'Sanitized' simply means that the functions in these files have been modified to remove any ">", "<", "(" or ")" characters that get entered into the search field during runtime.
The installation package for Version 3.5 was updated on June 19th, 2006 to include the updated support files listed above.
I stand by my software and have deep respect for my users right to privacy. Click here to read my pledge of privacy.
--Marc Reed
2006
