On Mon, September 29, 2003 1at 1:57 am, Shapira, Yoav sent the following
> I'm not a big security buff, but three things come to mind:
> - The original post with the "exploit" is more than a year old, yet we
> haven't heard anything about this actually used maliciously -- how come?
Can't answer this one myself...
> - Is it really a vulnerability? What can you get from this "exploit"?
You can hijack the user's session or steal information from a user's
cookie pretty easily with a XSS flaw such as this one.
> All I see is tomcat returning a 404 (not found) response with the
> javascript specified in the GET request, but javascript is executed on
> the client anyhow, so who cares?
> - What would the fix be? Not include the requested URL in the default
> 404 response page?
That's not the problem. If you look at the trace in my previous post, the
problem is that the javascript was printed out un-encoded before any of
the response headers. You can try plugging in the URL in your browser
(just tack on "666%0a%0a<script>alert("asdf");</script>666.jsp" a URL) and
you will receive a Javascript alert "asdf". Malicious users could
obviously write something much more malicious than a simple alert used as
the example.
-Dave
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
