Security Vulnerabilities Reported

WON'T FIX ico.org.uk

ico.org.uk

XSS vulnerability through the search results page.

The search query is sent as a GET parameter and is not escaped when rendered within a JavaScript block in the search results page. This allows code to be executed when this function is called (from a button press) from a malicious URL.

The developers of the site had correctly escaped the user input throughout the HTML content of the page, however forgot the importance of escaping user input correctly within the context of JavaScript.

function moreSearchResults() {  
  var paglink ="?q=";alert();//&ps=25&docdate=all&sitesection=all";
  var page  = currentPage+1;
  var mr = paglink + "&p="+ page;
  ...

Disclosure Timeline

07 May 2017 Used online contact form to report vulnerability: https://ico.org.uk/global/contact-us/email
09 May 2016 17:00 Email received from "Digital Architect" asking for more information about the vulnerability
09 May 2017 20:26 Reply sent with example URL and details on how the XSS comes about on the page
09 May 2017 at 20:37 Reply acknowledging problem with thanks
02 September 2017 15:37 I chase up response asking when it will be fixed but get no reply
27 November 2017 23:00 I publish page after over 6 months of reporting the vulnerability and getting no further response

Reported Won't Fix

Back