lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <26853.1066294508@www40.gmx.net>
Date: Thu, 16 Oct 2003 10:55:08 +0200 (MEST)
From: "Oliver Karow" <Oliver.Karow@....de>
To: bugtraq@...urityfocus.com
Cc: gzhangx@...mail.com
Subject: CSS Vulnerability in Bajie HTTP JServer


CSS Vulnerability in Bajie HTTP JServer
==========================

Even though the cross-site-scripting vulnerability published under BID 7344
was fixed with 
Built 0.95zxe1, the current version of Bajie HTTP Jserver is still
vulnerable to 
cross-site-scripting attacks. 

Vulnerable versions:
====================

The latest version BajieJSrv/0.95zxv4 and probably older ones.

Exploiting:
===========

The cross side scripting vulnerability can easily be demonstrated with a web
browser:
 
   http://localhost/cgi/bin/test.txt?<script>alert(document.cookie)</script>

The following css’s can be demonstrated either by inserting code into the
html-forms 
with a browser,or sending via netcat a string like:

  POST /servlet/custMsg?guestName=<script>alert("bang")</script> HTTP/1.0

  POST
/servlet/CookieExample?cookiename=<script>alert("bang")</script>&cookievalue=&cookiepath=   
  HTTP/1.0


Vendor:
=======

Name: Gang Zhang (gzhangx@...mail.com)
Homepage: http://go.to/bajie

Discovered by/Credit:
=====================

16.10.2003 Oliver Karow (oliver.karow[at]gmx.de)


-- 
NEU FÜR ALLE - GMX MediaCenter - für Fotos, Musik, Dateien...
Fotoalbum, File Sharing, MMS, Multimedia-Gruß, GMX FotoService

Jetzt kostenlos anmelden unter http://www.gmx.net

+++ GMX - die erste Adresse für Mail, Message, More! +++



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ