Re: [users@httpd] XSS vulnerability in default (debian etch installation)?

Fri, 20 Mar 2009 01:36:01 -0700 

Hi,

<html><head><title>404 Not Found</title></head><body><h1>Not
Found</h1><p>The requested URL /<ScRipT >alert('test');</ScRipT > was
not found on this server.</p></body></html>


The installation is not default, but only mod_jk, AddDefaultCharset and
virtualhosts has been edited.

On Fri, Mar 20, 2009 at 9:27 AM, Krist van Besien <krist.vanbes...@gmail.com
> wrote:

> On Thu, Mar 19, 2009 at 9:47 PM, matti matti <geono...@gmail.com> wrote:
> > Hi,
> >
> > If I do in firefox try:
> > http://hostname/%3CScRipT%20%3Ealert(%27test%27)%3B%3C%2FScRipT%20%3E<http://hostname/%3CScRipT%20%3Ealert%28%27test%27%29%3B%3C%2FScRipT%20%3E>
> >
> > I get a popup with the text "test", and a:
> >
> > Not Found
> >
> > The requested URL / was not found on this server.
> >
> > I havent got many modules loaded, and added only virtualhosts. This does
> not
> > work in apache 2.0.x of CentOS 4.6.
> > Instead of taking this to debian mailinglist, Im asking here because Im
> very
> > curoius why this works, isnt this a XSS flaw of magnitude, or am I
> missing
> > something?
>
> Hmm. Doesn't work on my Ubuntu installation either.
> Can you have a peek at the source of what you get back? It would
> appear that for some reasons the < and > brackets haven't been
> converted in to html entities (
>
> For example: my erver returns:
>
> <p>The requested URL /&lt;ScRipT &gt;alert('test');&lt;/ScRipT &gt;
> was not found on this server.</p>
>
> And thus the browser doesn't see any script tags...
>
>
> Krist
>
> --
> krist.vanbes...@gmail.com
> kr...@vanbesien.org
> Bremgarten b. Bern, Switzerland
> --
> A: It reverses the normal flow of conversation.
> Q: What's wrong with top-posting?
> A: Top-posting.
> Q: What's the biggest scourge on plain text email discussions?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>   "   from the digest: users-digest-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Reply via email to