RE: Multiple Vendor Java Servlet Container Cross-Site Scripting V ulnerability

From: Cook, Justin S. (Schmidt) (JSCookat_private)
Date: Tue Jul 03 2001 - 05:47:14 PDT

Next message: Forrest J Cavalier III: "Re: A Study In Scarlet - Exploiting Common Vulnerabilities in P"

Previous message: Patrick Oonk: "Re: php breaks safe mode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This same vulnerability seems to be partially evident for CFServer(at least
version 4.5).

Using the following code:

default.cfm
-----------
<html>
<head>
 <title>CFML Cross-site Scripting Vulnerability Testing</title>
 <script language="javascript" src="extra.js"></script>
</head>
</html>

extra.js
---------
/* does nothing */
function foo() {
	var bar="foo";
	return bar;
}

if you do a reqest in your browser for
http://domain/default.cfm/>alert(document.domain)

You can see that the JS is at least paritally interpreted because it shows
up in the IE errors. If viewed in netscape, you see that there is a syntax
error with the first tag(in this case <html>).

IE Error: 
Line: 4
Char: 1
Error: Syntax Error
Code: 0
URL: http://domain/default.cfm/>alert(document.domain) 

NS 4.7 Error: 
JavaScript Error:
http://domain/default.cfm/extra.js,
line 3:

syntax error. 

<html>
^

Quite odd results actually. It only seems to work when you call out for an
external javascript file. 

Justin Cook
Work: jscookat_private
Home: jscat_private / jcook@k-lug.org

Next message: Forrest J Cavalier III: "Re: A Study In Scarlet - Exploiting Common Vulnerabilities in P"
Previous message: Patrick Oonk: "Re: php breaks safe mode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 03 2001 - 13:20:14 PDT