Von: "Joe Gooch" <[email protected]>
An: 'Pound' <[email protected]>
Betreff: RE: [Pound Mailing List] port 80 redirect and XSS
Are you using the stage for upstream 2.7b branch?
Or running this patch?
https://github.com/goochjj/pound/commit/8b29ed0e1a6760de395b64274c5de95ad05143fe.diff
Joe
From: [email protected] [mailto:[email protected]]
Sent: Monday, August 05, 2013 10:37 AM
To: Pound
Subject: [Pound Mailing List] port 80 redirect and XSS
Hi,
we are using pound on a centos 6 base and it works fine. A few days ago we had a security scan and now there is a problem with xss (cross site scripting). When the client connects on port 80 an ask about a link with bad code in it (GET /"><script>alert(document.domain)</script>.html HTTP/1.1), the pound-system replies with a 300-Code and the full request. Is it possible to filter or do a url-encoding/html-encoding before the 300-Reply gets back to the browser ? Or what else can we do to resolve this issue.
Any suggestions are welcome
kind regards
fatcharly
-- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
