Re: [users@httpd] XSS vulnerability in default (debian etch installation)?

[Krist van Besien <kr...@gmail.com>]

On Thu, Mar 19, 2009 at 9:47 PM, matti matti <ge...@gmail.com> wrote:
> Hi,
>
> If I do in firefox try:
> http://hostname/%3CScRipT%20%3Ealert(%27test%27)%3B%3C%2FScRipT%20%3E
>
> I get a popup with the text "test", and a:
>
> Not Found
>
> The requested URL / was not found on this server.
>
> I havent got many modules loaded, and added only virtualhosts. This does not
> work in apache 2.0.x of CentOS 4.6.
> Instead of taking this to debian mailinglist, Im asking here because Im very
> curoius why this works, isnt this a XSS flaw of magnitude, or am I missing
> something?

Hmm. Doesn't work on my Ubuntu installation either.
Can you have a peek at the source of what you get back? It would
appear that for some reasons the < and > brackets haven't been
converted in to html entities (

For example: my erver returns:

<p>The requested URL /&lt;ScRipT &gt;alert('test');&lt;/ScRipT &gt;
was not found on this server.</p>

And thus the browser doesn't see any script tags...


Krist

-- 
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] XSS vulnerability in default (debian etch installation)?

[matti matti <ge...@gmail.com>]

Hi,

<html><head><title>404 Not Found</title></head><body><h1>Not
Found</h1><p>The requested URL /<ScRipT >alert('test');</ScRipT > was
not found on this server.</p></body></html>


The installation is not default, but only mod_jk, AddDefaultCharset and
virtualhosts has been edited.

On Fri, Mar 20, 2009 at 9:27 AM, Krist van Besien <krist.vanbesien@gmail.com
> wrote:

> On Thu, Mar 19, 2009 at 9:47 PM, matti matti <ge...@gmail.com> wrote:
> > Hi,
> >
> > If I do in firefox try:
> > http://hostname/%3CScRipT%20%3Ealert(%27test%27)%3B%3C%2FScRipT%20%3E<http://hostname/%3CScRipT%20%3Ealert%28%27test%27%29%3B%3C%2FScRipT%20%3E>
> >
> > I get a popup with the text "test", and a:
> >
> > Not Found
> >
> > The requested URL / was not found on this server.
> >
> > I havent got many modules loaded, and added only virtualhosts. This does
> not
> > work in apache 2.0.x of CentOS 4.6.
> > Instead of taking this to debian mailinglist, Im asking here because Im
> very
> > curoius why this works, isnt this a XSS flaw of magnitude, or am I
> missing
> > something?
>
> Hmm. Doesn't work on my Ubuntu installation either.
> Can you have a peek at the source of what you get back? It would
> appear that for some reasons the < and > brackets haven't been
> converted in to html entities (
>
> For example: my erver returns:
>
> <p>The requested URL /&lt;ScRipT &gt;alert('test');&lt;/ScRipT &gt;
> was not found on this server.</p>
>
> And thus the browser doesn't see any script tags...
>
>
> Krist
>
> --
> krist.vanbesien@gmail.com
> krist@vanbesien.org
> Bremgarten b. Bern, Switzerland
> --
> A: It reverses the normal flow of conversation.
> Q: What's wrong with top-posting?
> A: Top-posting.
> Q: What's the biggest scourge on plain text email discussions?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>