Hi, <html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /<ScRipT >alert('test');</ScRipT > was not found on this server.</p></body></html>
The installation is not default, but only mod_jk, AddDefaultCharset and virtualhosts has been edited. On Fri, Mar 20, 2009 at 9:27 AM, Krist van Besien <krist.vanbes...@gmail.com > wrote: > On Thu, Mar 19, 2009 at 9:47 PM, matti matti <geono...@gmail.com> wrote: > > Hi, > > > > If I do in firefox try: > > http://hostname/%3CScRipT%20%3Ealert(%27test%27)%3B%3C%2FScRipT%20%3E<http://hostname/%3CScRipT%20%3Ealert%28%27test%27%29%3B%3C%2FScRipT%20%3E> > > > > I get a popup with the text "test", and a: > > > > Not Found > > > > The requested URL / was not found on this server. > > > > I havent got many modules loaded, and added only virtualhosts. This does > not > > work in apache 2.0.x of CentOS 4.6. > > Instead of taking this to debian mailinglist, Im asking here because Im > very > > curoius why this works, isnt this a XSS flaw of magnitude, or am I > missing > > something? > > Hmm. Doesn't work on my Ubuntu installation either. > Can you have a peek at the source of what you get back? It would > appear that for some reasons the < and > brackets haven't been > converted in to html entities ( > > For example: my erver returns: > > <p>The requested URL /<ScRipT >alert('test');</ScRipT > > was not found on this server.</p> > > And thus the browser doesn't see any script tags... > > > Krist > > -- > krist.vanbes...@gmail.com > kr...@vanbesien.org > Bremgarten b. Bern, Switzerland > -- > A: It reverses the normal flow of conversation. > Q: What's wrong with top-posting? > A: Top-posting. > Q: What's the biggest scourge on plain text email discussions? > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >