A customer tested our website using WebInspect, and reported one "high"
security concern. I'm not really sure what this is about, and was
hoping maybe someone could shed some light on if it's really a concern,
or just a false positive as suggested. If it is a real concern, how do
I fix it! Not sure if it's related, but access to my "logs" directory
was another "low" concern which I have now blocked access to. I noticed
the log directory was listed in the URL below, and maybe the two were
related. I have some 3rd party software which analysis my web logs
nightly and generates html reports within the logs directory. Maybe the
error was within that html?
Thanks,
Jason
*Failure Finding 1: 302 Error Message Cross-site Scripting*
*Ranking*
High
*Category*
Cross-site Scripting
*Issue*
http://test.superiorbag.com:80/logs?><script>alert('XSS');</script>
The handling of certain HTTP requests that produce "302 Object Moved"
responses allows attackers to launch cross-site scripting attacks. When
the server receives an HTTP request for a directory without a trailing
slash, it returns a 302 Object Moved error message, redirecting the
client to the requested directory, with a forward slash. Also included
in the body of the HTTP response are any GET parameters that were
including in the original request. These parameters are not properly
sanitized for malicious content before being returned to the client.
*Impact*
Cross-site scripting allows an attacker to control the web browser of
other web users viewing the page by embedding malicious HTML tags and
JavaScript. An attacker can use this technique to steal sensitive
information such as credit card numbers, usernames, passwords, files,
and sessionidentifiers from the web users.
*Remediation*
A patch has been released that corrects this issue. See Microsoft
Security Advisory MS02-018.
*Evidence*
I was unable to reproduce this manually.
_______________________________________________
Active4D-dev mailing list
[email protected]
http://mailman.aparajitaworld.com/mailman/listinfo/active4d-dev
Archives: http://mailman.aparajitaworld.com/archive/active4d-dev/
