Re: Squid cross-site scripting (Fw: Squid doesn't quote urls in error messages.)

From: Rude Yak (rudeyakat_private)
Date: Wed Jul 18 2001 - 08:54:38 PDT

Next message: Laurent Sintes: "Re: php mail function bypass safe_mode restriction"

Previous message: secureat_private: "[CLA-2001:409] Conectiva Linux Security Announcement - tcltk"
Maybe in reply to: TAKAGI, Hiromitsu: "Squid cross-site scripting (Fw: Squid doesn't quote urls in error messages.)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  Short term, would it be possible to remove "%U" from ERR_* in
squid/etc/errors, or does the issue apply to other %-tags in squid templates as
well?

--------------------------------------------------------------------------


I noticed that Squid 2.3.STABLE4 doesn't quote urls in error messages.

For example if a user visits the following url

http://www.dotcom.com/ <b>test</b>

The user will get an invalid url page with test in bold.

Or even more fun with:
http://www.somecompany.com/ src="http://www.mysite.com/mylogo.gif">

You can actually get a working form in such an error message! Javascript too.

So it may be possible to rip out other site's cookies from browsers using
this (see DKrypt's and other peoples stuff on it).

Also maybe do a fake form/page :).


__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/

Next message: Laurent Sintes: "Re: php mail function bypass safe_mode restriction"
Previous message: secureat_private: "[CLA-2001:409] Conectiva Linux Security Announcement - tcltk"
Maybe in reply to: TAKAGI, Hiromitsu: "Squid cross-site scripting (Fw: Squid doesn't quote urls in error messages.)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 08:59:47 PDT