On Thu, Mar 19, 2009 at 9:47 PM, matti matti <geonode7@xxxxxxxxx> wrote:
> Hi,
>
> If I do in firefox try:
> http://hostname/%3CScRipT%20%3Ealert(%27test%27)%3B%3C%2FScRipT%20%3E
>
> I get a popup with the text "test", and a:
>
> Not Found
>
> The requested URL / was not found on this server.
>
> I havent got many modules loaded, and added only virtualhosts. This does not
> work in apache 2.0.x of CentOS 4.6.
> Instead of taking this to debian mailinglist, Im asking here because Im very
> curoius why this works, isnt this a XSS flaw of magnitude, or am I missing
> something?
Hmm. Doesn't work on my Ubuntu installation either.
Can you have a peek at the source of what you get back? It would
appear that for some reasons the < and > brackets haven't been
converted in to html entities (
For example: my erver returns:
<p>The requested URL /<ScRipT >alert('test');</ScRipT >
was not found on this server.</p>
And thus the browser doesn't see any script tags...
Krist
--
krist.vanbesien@xxxxxxxxx
krist@xxxxxxxxxxxxx
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|