| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 18 Jan 2005 20:55:20 -0600
From: Jonathan Rockway <jrockw2@....edu>
To: bugtraq@...urityfocus.com, Marc Ruef <maru@...p.ch>
Subject: Re: Novell GroupWise WebAccess error modules loading
> The injection of scripts seems not to be possible because the required
> tags <script> and </script> are filtered/replaced.
I found a similar hole in a piece of proprietary software that we use
at work (advisory pending, the vendor is trying to push patches to
other users).
Basically, the software filtered all input that had both a < and a >
(but not just a <). So I injected:
<body onload="alert('Security hole.')"
This resulted in a dialog box that said "Security hole." WITHOUT any
script tags (or indeed, without any well-formed HTML at all!).
I would be interested to hear whether or not Novell GroupWise filters
things like the above example.
Here's a full HTML file that, if loaded in Safari or Firefox, will
produce a dialog box:
--start--
<html><body>
Here is some text.
<!-- injected characters -->
<body onload="alert('Security hole!')"
<!-- end injected characters -->
<i>Blah blah blah</i>
</body>
</html>
--end--
Regards,
--
Jonathan Rockway <jrockway@...puter.org>
Student - University of Illinois at Chicago
Powered by blists - more mailing lists