Hmm, that's EXACTLY what my node says before the so-called fix. And I've
just reproduced EXACTLY the same behaviour again on the current
freenet-latest.jar. However it DOES appear to be fixed in the latest
freenet-unstable-latest.jar (603 I believe)
Someone care to rerelease the 5xx branch with
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Just updated to 527 and this is still vulnerable. Here's the HTML output I get for
going to the URL below:
Couldn't retrieve
document.write('test1test2
');
Unexpected key
Key: document.write('test1test2
'); doesn't look
like a
On Tue, Oct 29, 2002 at 08:06:18PM -, Dave Hooper wrote:
> > the following executes custom html.
> >
> > http://127.0.0.1:/%3Cscript%3Edocument.write('test');%3C/script%3E
>
> True - for example :
> http://127.0.0.1:/%3Cscript%3Edocument.write('test1%3cH1%3etest2%3c/H1%3
> e');%3C/scri
> the following executes custom html.
>
> http://127.0.0.1:/%3Cscript%3Edocument.write('test');%3C/script%3E
True - for example :
http://127.0.0.1:/%3Cscript%3Edocument.write('test1%3cH1%3etest2%3c/H1%3
e');%3C/script%3E
The code that displays the "Unexpected key" page should really HTMLis
> the following executes custom html.
>
> http://127.0.0.1:/%3Cscript%3Edocument.write('test');%3C/script%3E
True - for example :
http://127.0.0.1:/%3Cscript%3Edocument.write('test1%3cH1%3etest2%3c/H1%3
e');%3C/script%3E
The code that displays the "Unexpected key" page should really HTMLis
Hi guys,
I don't know if XSS is an issue with Freenet .. but here goes - the
following executes custom html.
<<
http://127.0.0.1:/%3Cscript%3Edocument.write('test');%3C/script%3E
>>
Hope it helps.
--
Kind Regards,
Obscure
http://eyeonsecurity.org/
http://ob5cure.com/
http://nekromantic