Problem:

All versions of the the Webinator 4 search script released before December 19, 2002 contain a cross-site scripting vulnerability. Affected versions are 4.0 through through 4.0.6 and 4.1 through 4.2.3. Version 4.0.7, and 4.2.4+ released on or after December 19, 2002 fix the problem.

For more details about cross-site scripting vulnerabilities and potential impact see CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests.

Diagnosis:

Find out if you're affected by one of the 2 methods below:

  • View the top of the search script. It will say "Webinator 4.x.y".
  • Enter the Webinator admin interface and select a profile. At the top right, under the Thunderstone logo, it will say "Webinator 4.x.y".

Fix (2 different options):

  • You may download current search, dowalk, and webinatoradmin scripts from the Webinator examples page. 4.0 users should scroll to the bottom of that page and download version 4.0.7. 4.1 and 4.2 users should download the latest 4.2.N version. Save the files with no extensions. They are drop in replacements for your existing scripts.
  • If you have made customizations or don't want to download for whatever reason you may make the fix yourself by editing the search script. In the putmsg function (look for <a name=putmsg>) change:
      <fmt "\n<!-- %03d %s:%d: %s -->"
    to:
      <fmt "\n<!-- %03d %H:%d: %H -->"
    Also change:
      <noticebox>WARNING: $ret</noticebox>
    to:
      <noticebox><fmt "WARNING: %H" $ret></noticebox>

Locating your search script:

If you don't know where your Webinator search script resides on your disk.

Assuming a standard install...
The search script resides in the webinator subdirectory of your web document directory. Examples: c:\inetpub\wwwroot\webinator , /var/www/html.

For Windows versions later than July 2002 the search script resides in the Texis\Scripts\Webinator of your installation directory. The default installation directory is c:\Program Files\Thunderstone Software\Webinator. Example: c:\Program Files\Thunderstone Software\Webinator\Texis\Scripts\Webinator.

Compiling the new or modified script(s):

The search script will recompile itself the next time you use it. If you have problems for some reason you may also compile it by hand from a command/shell prompt. Change directory (cd) to the directory containing the search script. Compile it with:
INSTALLDIR/texis -C search
where INSTALLDIR is your Webinator installation directory.

Copyright © 2024 Thunderstone Software LLC. All rights reserved.