Not sure if it's related, but access to my "logs" directory was
another "low" concern which I have now blocked access to. I
noticed the log directory was listed in the URL below, and maybe
the two were related. I have some 3rd party software which
analysis my web logs nightly and generates html reports within the
logs directory.
It is up to you to protect the logs directory within an http security
realm.
http://test.superiorbag.com:80/logs?><script>alert('XSS');</script>
The handling of certain HTTP requests that produce "302 Object
Moved" responses allows attackers to launch cross-site scripting
attacks. When the server receives an HTTP request for a directory
without a trailing slash, it returns a 302 Object Moved error
message, redirecting the client to the requested directory, with a
forward slash. Also included in the body of the HTTP response are
any GET parameters that were including in the original request.
These parameters are not properly sanitized for malicious content
before being returned to the client.
What this is saying is that when a request for the above url is made,
Active4D redirects to:
http://test.superiorbag.com:80/logs/?><script>alert('XSS');</script>
Within the body of the redirect is a link which looks like this if
you use Safari or IE (but not Mozilla-based browsers):
<a href="http://test.superiorbag.com:80/logs/?><script>alert('XSS');</
script>">Click here</a>
That is what the test was complaining about. However, none of the
browsers I have tested (even IE6), will actually execute that
Javascript.
What EVERYONE should be careful of is not to write values that come
from user input (or the database) to the page without using
'escape' (in Javascript) or 'mac to html' (in Active4D).
For example, if you allow a user to enter something through the web
which gets stored in the database, they could enter a bunch of
javascript code. If you subsequently write the value to the screen,
the javascript will get executed. In fact my demo suffers from this
vulnerability. Doh!
Anyway, the bottom line in this case is that it is a false positive,
although I will make a change to Active4D so that the query in a
redirect is url encoded, which effectively sanitizes it.
Regards,
Aparajita
www.aparajitaworld.com
"If you dare to fail, you are bound to succeed."
- Sri Chinmoy | www.srichinmoylibrary.com
_______________________________________________
Active4D-dev mailing list
[email protected]
http://mailman.aparajitaworld.com/mailman/listinfo/active4d-dev
Archives: http://mailman.aparajitaworld.com/archive/active4d-dev/
