vqServer Demo Files Cross-Site Scripting

From: Matthew Murphy (mattmurphyat_private)
Date: Sun Apr 21 2002 - 08:16:54 PDT

Next message: Berend-Jan Wever: "Re: Cross site scripting in almost every mayor website"

Previous message: Bartłomiej: "arp problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    vqServer is a Windows web server written in Java.  It is an innovative
product, with support internally for Servlets, and external support for many
kinds of CGI, (EXE, Perl, ...)

    However, some of the examples shipped in a default configuration of
vqServer contain multiple cross-site scripting vulnerabilities.  In one
case, it is possible to create a cookie-based(?) attack that persists
forever for a specific IP address.  This could be used to attack the target
via "Cookie Scripting" bugs in many known browsers.

Example:

(Requires Perl Interpreter)

http://localhost/cgi/vq/demos/respond.pl?>alert("I%20should%20not%20b
e%20able%20to%20do%20this!!!")</SCRIPT>

Next message: Berend-Jan Wever: "Re: Cross site scripting in almost every mayor website"
Previous message: Bartłomiej: "arp problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Apr 22 2002 - 21:41:00 PDT