On Mon, September 29, 2003 1at 1:57 am, Shapira, Yoav sent the following > I'm not a big security buff, but three things come to mind: > - The original post with the "exploit" is more than a year old, yet we > haven't heard anything about this actually used maliciously -- how come?
Can't answer this one myself... > - Is it really a vulnerability? What can you get from this "exploit"? You can hijack the user's session or steal information from a user's cookie pretty easily with a XSS flaw such as this one. > All I see is tomcat returning a 404 (not found) response with the > javascript specified in the GET request, but javascript is executed on > the client anyhow, so who cares? > - What would the fix be? Not include the requested URL in the default > 404 response page? That's not the problem. If you look at the trace in my previous post, the problem is that the javascript was printed out un-encoded before any of the response headers. You can try plugging in the URL in your browser (just tack on "666%0a%0a<script>alert("asdf");</script>666.jsp" a URL) and you will receive a Javascript alert "asdf". Malicious users could obviously write something much more malicious than a simple alert used as the example. -Dave --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]