Next message: Curt Wilson: "Re: Possible Yahoo Messenger security issues"
at your local vendor...securityfocus :-)
http://www.securityfocus.com/archive/1/138297
a nice url with some links to more information.
grt marshal
Oliver, Todd wrote:
>Where could I obtain solid documentation on Cross-Site Scripting
>vulnerabilities and how they work and what kind of exposures they
>create?
>
>Thanks
>
>
>Todd
>
>-----Original Message-----
>From: Ed Moyle [mailto:emoyleat_private]
>Sent: Friday, January 04, 2002 2:33 PM
>To: vuln-devat_private
>Subject: Cross-Site Scripting in PlumTree?
>
>
>Hi.
>
>Anybody know about cross-scripting in PlumTree? I happened to notice
>this while I was at the plumtree-hosted demonstration site
>(portal.plumtree.com.) It appears as if plumtree portal ships by
>default some error page (error.asp) that parrots back the message that
>appears as part of the request URI. This error page seems to recieve an
>argument that is a textual description of the error that is shown to the
>user on the resulting page...
>
>In the below example, <plumtreeserver> should point to the plumtree
>server (obviously), and <portalname> should be the directory for the
>portal. For example, you might have a plumtree server called
>"portal.domain.dom" and the first directory was called "portal"...
>
>http://>/<portalname>/common/error.asp?UserID=2&Descripti
>on=%3CSCRIPT%20LANGUAGE%3DJAVASCRIPT%3Ealert%28%22Cross-Script%22%29%3B%
>3C/script%3e
>
>(seems to work w/ IE, but is not tested on Netscape.)
>
>Does anybody know if PlumTree has a procedure to fix this posted
>somewhere? -E
>
This archive was generated by hypermail 2b30
: Sun Jan 06 2002 - 16:47:19 PST