Next message: Marshal: "Re: Cross-Site Scripting in PlumTree?"
This cert.org doc gives a decent overview:
http://www.cert.org/advisories/CA-2000-02.html
> Where could I obtain solid documentation on Cross-Site Scripting
> vulnerabilities and how they work and what kind of exposures they
> create?
>
> Thanks
>
>
> Todd
>
> -----Original Message-----
> From: Ed Moyle [mailto:emoyleat_private]
> Sent: Friday, January 04, 2002 2:33 PM
> To: vuln-devat_private
> Subject: Cross-Site Scripting in PlumTree?
>
>
> Hi.
>
> Anybody know about cross-scripting in PlumTree? I happened to notice
> this while I was at the plumtree-hosted demonstration site
> (portal.plumtree.com.) It appears as if plumtree portal ships by
> default some error page (error.asp) that parrots back the message that
> appears as part of the request URI. This error page seems to recieve an
> argument that is a textual description of the error that is shown to the
> user on the resulting page...
>
> In the below example, <plumtreeserver> should point to the plumtree
> server (obviously), and <portalname> should be the directory for the
> portal. For example, you might have a plumtree server called
> "portal.domain.dom" and the first directory was called "portal"...
>
> http://>/<portalname>/common/error.asp?UserID=2&Descripti
> on=%3CSCRIPT%20LANGUAGE%3DJAVASCRIPT%3Ealert%28%22Cross-Script%22%29%3B%
> 3C/script%3e
>
> (seems to work w/ IE, but is not tested on Netscape.)
>
> Does anybody know if PlumTree has a procedure to fix this posted
> somewhere? -E
>
>
>
Chris Sullo
____________________________________________________
http://www.cirt.net/
Default Passwords, Ports, SSIDs & more
This archive was generated by hypermail 2b30
: Sun Jan 06 2002 - 16:40:21 PST