Attached is a quick hack up SecuriTeam's 40x Cross Site Scripting NASL (without their permission, I hope they're okay with that for a NASL-newbie). This one specifically checks for the Allaire JRUN CSS problem (the scripts require a .jsp, .shtml or .thtml extension tacked on to the end of the request). It is working in my tests, but I'm wondering if there's a better way to handle the three requests (.jsp, .shtml and .thtml) in some sort of loop (or even just adding it easily to the original SecuriTeam NASL)? In my testing I found that one may work and one may not (I assume it depends on the config options of JRUN, but I don't have access to admin the systems), so all three should be tested to be sure. Also, if someone has a 2.3.x JRUN installation to test against... Comments/help appreciated. Thanks Chris
This archive was generated by hypermail 2b30 : Tue Nov 13 2001 - 14:40:03 PST