| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <007d01c286d7$9cfb4a00$e62d1c41@kc.rr.com> From: mattmurphy at kc.rr.com (Matthew Murphy) Subject: LiteServe Directory Index Cross-Site Scripting There are three different places in the directory index of LiteServe where unsanitized user input is returned to the browser. The first is yet another wildcard DNS vulnerability, the second centers around query strings. Write-Up: http://www.techie.hopto.org/vulns/2002-37.txt * DNS Wildcard XSS This is similar to the Apache XSS of last month. A malicious 'Host' header entity is created by a specially encoded hostname. When the hostname is rejected by the DNS server, the request is routed back to the parent: http://%3CIMG%20SRC%3D%22%22%20ONERROR%3D%22alert%28location%2Ehref%29%22%3E .liteserve.net/dir * Directory Query String XSS The LiteServe directory indexing system fails to strip query strings from indexed folders, meaning that the URL returned by LiteServe is susceptible to cross-site scripting. URL decoding is performed before return: http://liteserve.net/dir?%3CIMG%20SRC%3D%22%22%20ONERROR%3D%22alert%28locati on%2Ehref%29%22%3E These are essentially the same HTML, just different issues. There is also a title tag that isn't filtered: http://liteserve.net/dir?%3C%2FTITLE%3E%3CIMG%20SRC%3D%22%22%20ONERROR%3D%22 alert%28location%2Ehref%29%22%3E
Powered by blists - more mailing lists