lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <1107600546.1639.2.camel@bobby.exaprobe.com>
Date: Sat, 05 Feb 2005 11:49:06 +0100
From: Nicolas Gregoire <ngregoire@...probe.com>
To: bugtraq@...urityfocus.com
Subject: Re: Input Validation Vulnerability in Apple Safari version 1.2.4
	v125.12


Le vendredi 04 février 2005 à 06:10 -0600, Jonathan Rockway a écrit :

> https://tigger.uic.edu/htbin/perlwrap-auth/jrockw2/safari_test.pl

An other test page is located here :
http://nicob.net/cgi-bin/content-type.cgi

> The security problem is that servers serving HTML may be taking 
> measures to prevent XSS attacks; i.e. they convert < to &lt;.  These 
> servers, when serving plain text, may not do this (because it is 
> unnecessary and undesirable)

Some Oracle webapps are doing exactly that : sending content with a
text/html content-type and not bothering to escape HTML or JavaScript
tags. 

-- 
Nicolas Gregoire ----- Consultant en Sécurité des Systèmes d'Information
ngregoire@...probe.com ------[ ExaProbe ]------ http://www.exaprobe.com/
PGP KeyID:CA61B44F  FingerPrint:1CC647FF1A55664BA2D2AFDACA6A21DACA61B44F

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ