lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <c9bdf4660805081613k24a34bbak758f87aa7a206e78@mail.gmail.com> Date: Fri, 9 May 2008 02:13:21 +0300 From: "lament hero" <lament.hero@...il.com> To: bugtraq@...urityfocus.com Subject: Apache Server HTML Injection and UTF-7 XSS Vulnerability Apache Server HTML Injection and UTF-7 XSS Vulnerability This vulnerability was found by Yaniv Miron and Yossi Yakubov. This vulnerability will allow an attacker to inject an XSS to any Apache server that use the Forbidden 403 default page. After injecting this string: http://www.victim.com/Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvjudPuJTNeK9zw5MaZ1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEco8Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz1olPh5jZ%3Cfont%20size=50%3EDEFACED%3C!xc+ADw-script+AD4-alert('xss')+ADw-/script+AD4---//-- You will get a Forbidden 403 error message with an XSS alert. This string is combined from HTML Injection and a XSS string coded in UTF-7. This is only a PoC and because of that the browser should be in auto select mode of encoding so it could use the UTF-7 encoding. This attack had been tested on some Apache versions as 2.2.x and 1.3.x and on some versions of FireFox up to version 2.0.0.x and in IE 6 and 7. We leave it to other hackers to upgrade the attack and make it fully automatic. Yaniv Miron aka "Lament".