SearchBlox Fixes XSS, File Upload Flaws

SearchBlox, a provider of enterprise search technology, has patched several serious vulnerabilities in its flagship product, including cross-site scripting, cross-site request forgery and other issues.

The company, which sells a variety of enterprise search products, has released version 8.2 of the main SearchBlox product to address the vulnerabilities, which were report to the CERT/CC at Carnegie Mellon University. The most serious of the bugs are a handful of XSS vulnerabilities.

“SearchBlox contains multiple cross-site scripting (XSS) vulnerabilities, including a reflected XSS in the default search box of http://:8080/searchblox/plugin/index.html and a persistent XSS in the title field of the ‘Create Featured Result’ form, http://:8080/searchblox/admin/main.jsp?menu1=res. Note that an attacker must be authenticated to leverage the persistent XSS,” the CERT advisory says.

There is another vulnerability that allows an unauthenticated remote attacker to upload arbitrary files to portions of the SearchBlox server without restriction. That flaw was reported in 2013 and the company fixed it in a previous version, but SearchBlox 8.1.5 and possibly some other versions were found to be vulnerable later.

“Active content, such as JSP pages, can be uploaded to http://:8080/searchblox/admin/uploadImage.html. This can be done by submitting the content using the form and using a client proxy to ensure that the “Content-Type” for the uploaded file is “image/jpeg”. The attacker can then visit the uploaded content and enable its execution. Note that though the URL in question appears to be in an authenticated portion of the server, the page can be accessed without authentication,” CERT said in the advisory.

SearchBlox 8.1 and earlier also include a dangerous CSRF vulnerability.

“SearchBlox contains a global cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request,” the CERT advisory warns.

The company has released version 8.2, which fixes these vulnerabilities.

Suggested articles