Hi,
Looks the the http_keepalive_send_recv calls need bodyonly:1 in there.
The script is causing a false positive because the XSS code appears in
the headers.
Though this does raise the possibility of header splitting as described
by the recent Sanctum paper.
Paul
David Kyger wrote:
>script phpbb_xss is firing when I hit no404 web servers. Should this script be dependent upon
>no404.nasl?
>
>req = http_get(item:dir + "/viewtopic.php?t=10&postdays=99<script>foo</script>", port:port);
> buf = http_keepalive_send_recv(port:port, data:req);
> if(buf == NULL)exit(0);
> req = http_get(item:dir + "/viewforum.php?f=10&postdays=99<script>foo</script>", port:port);
> buf2 = http_keepalive_send_recv(port:port, data:req);
> if(buf2 == NULL)exit(0);
>
> if("<script>foo</script>" >< buf ||
> "<script>foo</script>" >< buf2 )
> {
> security_warning(port);
> exit(0);
> }
>
>buf =
>HTTP/1.1 302 Object moved
>Location: http://>/phpBB/viewtopic.php?t=10&postdays=99<script>foo</script>
>
>buf2 =
>HTTP/1.1 302 Object moved
>Location: http://>/phpBB/viewtopic.php?t=10&postdays=99<script>foo</script>
>
>-dave
>_______________________________________________
>Plugins-writers mailing list
>Plugins-writers@private
>http://mail.nessus.org/mailman/listinfo/plugins-writers
>
>
>
>
--
Paul Johnston
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul@private
web: www.westpoint.ltd.uk
_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers
This archive was generated by hypermail 2b30 : Wed Mar 24 2004 - 09:09:19 PST