|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Fwd: what does this allow ?
From: Peter Wood (peterw
firstbase.co.uk)
Date: Thu Jun 19 2003 - 07:45:18 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>From: Vince Hoffman <Vince.Hoffmanuk.circle.com>
>To: "'webappsecsecurityfocus.com'" <webappsecsecurityfocus.com>
>Subject: what does this allow ?
>Date: Thu, 19 Jun 2003 10:20:20 +0100
>X-Mailer: Internet Mail Service (5.5.2653.19)
>
>Hi all,
> I was running a routine nessus scan on some servers i administrate
>and one of them gave me a warning of
>
>The following requests seem to allow the reading of
>sensitive files or XSS. You should manually try them to see if anything bad
>happens :
>/default.asp?gateway=<script>alert('foo')</script>
>
>I tried that and it worked, I forwarded it to a developer for that machine
>and he didnt seem worried by it. Should he be ?
>A bit vague i know but webapps arent realy my forte.
>
>Thanks,
>Vince
This is a cross-site scripting vulnerability and he should be concerned if
this is a public-facing server. Take a look at
http://sandsprite.com/Sleuth/papers/XSS-Paper.txt
cheers
Pete
----------------------------------------------------------
Peter Wood
Chief of Operations
First Base Technologies
+44 (0)1273 454525
www.fbtechies.co.uk
www.white-hats.co.uk
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]