------------------------------------------------------------------------
Cross-Site Scripting (XSS) at musiq.no search
------------------------------------------------------------------------

Author: Audun Larsen (larsen at xqus dot com)
Date: Dec 25, 2008

--AFFECTED SOFTWARE--------------------------

Name: musiq.no

--DISCUSSION---------------------------------

musiq.no is vulnerable to a Non-Persistent (or reflected)
Cross-Site Scripting attack. The problem exists because of the lack
of properly escaping user input before using it to repopulate the search field.

--PROOF OF CONCEPT---------------------------

http://www.musiq.no/search.php?ul=www.musiq.no&ps=10&wf=222210&wm=wrd&q="><script>alert("XSS");</script>

--TIMELINE-----------------------------------

Dec 25, 2008: Bug found
Dec 25, 2008: red@musiq.no notified
Dec 28, 2008: Webmaster reports security hole fixed

--DISCLAIMER---------------------------------

The information in this advisory and any of its demonstrations is provided
"as is" without warranty of any kind.

Copyright © 2008 Audun Larsen, some rights reserved:
http://creativecommons.org/licenses/by-sa/3.0/