KJKHyperion wrote:
> Michal Majchrowicz wrote:
>> In this case I agree this is a solution. If Apache wouldn't accept any
>> 'separators' then XSS (and other stuff) wouldn't be possible at all. Is
>> there anywhere described which chars can be used in protocol "field"?
> There is no "flaw".
I agr
Michal Majchrowicz wrote:
> In this case I agree this is a solution. If Apache wouldn't accept any
> 'separators' then XSS (and other stuff) wouldn't be possible at all. Is there
> anywhere described which chars can be used in protocol "field"?
There is no "flaw". You clearly have never written a
That would severely cut most extensibility and require further implementations
to be hardcoded, thus limiting apache's modular nature.
The original RFC would be insufficient for it's list as there are modules such
as webdav (as in the previous example) that add to that list of methods
Apache is
That would severely cut most extensibility and require further implementations
to be hardcoded, thus limiting apache's modular nature.
The original RFC would be insufficient for it's list as there are modules such
as webdav (as in the previous example) that add to that list of methods
Apache is
That would severely cut most extensibility and require further implementations
to be hardcoded, thus limiting apache's modular nature.
The original RFC would be insufficient for it's list as there are modules such
as webdav (as in the previous example) that add to that list of methods
Apache is
In this case I agree this is a solution. If Apache wouldn't accept any
'separators' then XSS (and other stuff) wouldn't be possible at all.
Is there anywhere described which chars can be used in protocol
"field"?
Regards Michal.
On 4/24/07, Richard Moore <[EMAIL PROTECTED]> wrote:
> Michal Majchro
Michal Majchrowicz wrote:
> Okay so let's assume that there cany "anything" as the request. But
> there has to be something that handles this request? If there is no
> "handler" for request "" Apache should return error page. And
> what about protocol version? You didn't answer this question.
> Reg
Okay so let's assume that there cany "anything" as the request. But
there has to be something that handles this request? If there is no
"handler" for request "" Apache should return error page. And
what about protocol version? You didn't answer this question.
Regards Michal.
On 4/24/07, Richard Mo
On 4/24/07, Michal Majchrowicz <[EMAIL PROTECTED]> wrote:
> Hi.
> I think now we can classify this as flaw in Apache. It accepts
> requests that simply make no sense. Take a look at this example:
> alert(document.cookie); /test.php
> alert(document.cookie);
> In some circumstances it may cause XSS
Hi.
I think that server should have a list of valid requests. In fact
Apache warns you sometimes that valid requests are:
"GET/POST/TRACE/OPTIONS". The solution that it just accepts everything
as request and protocol makes no sense. What kind of protocol is
""?
Regards Michal.
On 4/24/07, Richard
Michal Majchrowicz wrote:
> Hi.
> I think now we can classify this as flaw in Apache. It accepts
> requests that simply make no sense. Take a look at this example:
> alert(document.cookie); /test.php
> alert(document.cookie);
> In some circumstances it may cause XSS vulnerability:
> echo $
Hi.
I think now we can classify this as flaw in Apache. It accepts
requests that simply make no sense. Take a look at this example:
alert(document.cookie); /test.php
alert(document.cookie);
In some circumstances it may cause XSS vulnerability:
I am now investigating other possible attacks.
Regards
12 matches
Mail list logo
