at your local vendor...securityfocus :-) http://www.securityfocus.com/archive/1/138297 a nice url with some links to more information. grt marshal Oliver, Todd wrote: >Where could I obtain solid documentation on Cross-Site Scripting >vulnerabilities and how they work and what kind of exposures they >create? > >Thanks > > >Todd > >-----Original Message----- >From: Ed Moyle [mailto:emoyleat_private] >Sent: Friday, January 04, 2002 2:33 PM >To: vuln-devat_private >Subject: Cross-Site Scripting in PlumTree? > > >Hi. > >Anybody know about cross-scripting in PlumTree? I happened to notice >this while I was at the plumtree-hosted demonstration site >(portal.plumtree.com.) It appears as if plumtree portal ships by >default some error page (error.asp) that parrots back the message that >appears as part of the request URI. This error page seems to recieve an >argument that is a textual description of the error that is shown to the >user on the resulting page... > >In the below example, <plumtreeserver> should point to the plumtree >server (obviously), and <portalname> should be the directory for the >portal. For example, you might have a plumtree server called >"portal.domain.dom" and the first directory was called "portal"... > >http://>/<portalname>/common/error.asp?UserID=2&Descripti >on=%3CSCRIPT%20LANGUAGE%3DJAVASCRIPT%3Ealert%28%22Cross-Script%22%29%3B% >3C/script%3e > >(seems to work w/ IE, but is not tested on Netscape.) > >Does anybody know if PlumTree has a procedure to fix this posted >somewhere? -E >
This archive was generated by hypermail 2b30 : Sun Jan 06 2002 - 16:47:19 PST