This looks like pretty close to what I want but there's an error (i.e. the regex fails to work on any normal URL I've tried). Not particularly strong here, any help?
Regards, Kevin On Mon, Nov 28, 2011 at 2:18 PM, Joe Gooch <[email protected]> wrote: > You can define a CheckURL directive to trap the invalid characters. (for > instance, I don't believe < or > can appear inline in a URL, it would have to > be % escaped) > > http://stackoverflow.com/questions/1547899/which-characters-make-a-url-invalid > > Thus you might want to include a line such as: > CheckURL "^[!#$&-;=?-[]_a-zA-Z~]+$" > > (note the regex is based on the Leif Wickland responder... You might want to > check the &-; and ?-[ ranges, for instance. I take no responsibility for > correctness in your environment) > > Given the URL you have supplied the URL would throw a 500 error based on the > " in your request and the <> characters. > > Joe > >> -----Original Message----- >> From: Kevin Bowling [mailto:[email protected]] >> Sent: Friday, November 18, 2011 1:04 AM >> To: [email protected] >> Subject: Re: [Pound Mailing List] Pound CSRF vulnerability in redirects >> >> Here is what the system claims the actual exploit looks like> >> >> HTTP/1.0 301 Moved Permanently >> Location: >> https://<domain>.com:7443/"><script>alert(document.domain)</script>.htm >> l >> Content-Type: text/html >> Content-Length: 264 >> >> <html><head><title>Redirect</title></head><body> Redirect You should >> go to >> <script>alert(document.domain)</script>.html">https://<domain>.com:7443 >> /"><script>alert(document.domain)</script>.html >> (https://<domain>.com:7443/)</p></body></html> >> >> GET /"><script>alert(document.domain)</script>.html HTTP/1.0 >> Host: <ip>:7080 >> User-Agent: QualysGuard >> >> On Thu, Nov 17, 2011 at 5:07 PM, Kevin Bowling >> <[email protected]> wrote: >> > Hi, >> > >> > This is very low risk because any browser that doesn't obey the HTTP >> > 301 code is likely ancient and vulnerable. >> > >> > One place this matters is automated scanning tools. I have a system >> > that is being audited for PCI compliance by a tool from qualys which >> > is basically a glorified port scanner. It passes in a >> > <script></script> nonsense on the URL and sure enough pound repeats >> > this in the document fallback if the HTTP 301 redirect is not obeyed. >> > >> > It is a bad idea, the URL should be scrubbed (hard), or simply >> > repeated without an <a href=...> and let the user figure it out? >> > >> > Regards, >> > Kevin >> > >> > -- >> > To unsubscribe send an email with subject unsubscribe to >> [email protected]. >> > Please contact [email protected] for questions. >> > >> >> -- >> To unsubscribe send an email with subject unsubscribe to >> [email protected]. >> Please contact [email protected] for questions. > > -- > To unsubscribe send an email with subject unsubscribe to [email protected]. > Please contact [email protected] for questions. > -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
