Threat level definition
Search:
Home
Bugtraq
Vulnerabilities
Mailing Lists
Jobs
Tools
Beta Programs
News
Infocus
Foundations
Microsoft
Unix
IDS
Incidents
Virus
Pen-Test
Firewalls
Columnists
Mailing Lists
Newsletters
Bugtraq
Focus on IDS
Focus on Linux
Focus on Microsoft
Forensics
Pen-test
Security Basics
Vuln Dev
Vulnerabilities
Jobs
Job Opportunities
Resumes
Job Seekers
Employers
Tools
RSS
News
Vulns
Security Research
BugTraq
Back to list
|
Post reply
Novell GroupWise WebAccess error modules loading
Jan 17 2005 04:42PM
Marc Ruef (maru scip ch)
(1 replies)
Re: Novell GroupWise WebAccess error modules loading
Jan 19 2005 02:55AM
Jonathan Rockway (jrockw2 uic edu)
> The injection of scripts seems not to be possible because the required
> tags <script> and </script> are filtered/replaced.
I found a similar hole in a piece of proprietary software that we use
at work (advisory pending, the vendor is trying to push patches to
other users).
Basically, the software filtered all input that had both a < and a >
(but not just a <). So I injected:
<body onload="alert('Security hole.')"
This resulted in a dialog box that said "Security hole." WITHOUT any
script tags (or indeed, without any well-formed HTML at all!).
I would be interested to hear whether or not Novell GroupWise filters
things like the above example.
Here's a full HTML file that, if loaded in Safari or Firefox, will
produce a dialog box:
--start--
<html><body>
Here is some text.
<!-- injected characters -->
<body onload="alert('Security hole!')"
<!-- end injected characters -->
<i>Blah blah blah</i>
</body>
</html>
--end--
Regards,
--
Jonathan Rockway <jrockway (at) computer (dot) org [email concealed]>
Student - University of Illinois at Chicago
[ reply ]
Privacy Statement
Copyright 2009, SecurityFocus
> The injection of scripts seems not to be possible because the required
> tags <script> and </script> are filtered/replaced.
I found a similar hole in a piece of proprietary software that we use
at work (advisory pending, the vendor is trying to push patches to
other users).
Basically, the software filtered all input that had both a < and a >
(but not just a <). So I injected:
<body onload="alert('Security hole.')"
This resulted in a dialog box that said "Security hole." WITHOUT any
script tags (or indeed, without any well-formed HTML at all!).
I would be interested to hear whether or not Novell GroupWise filters
things like the above example.
Here's a full HTML file that, if loaded in Safari or Firefox, will
produce a dialog box:
--start--
<html><body>
Here is some text.
<!-- injected characters -->
<body onload="alert('Security hole!')"
<!-- end injected characters -->
<i>Blah blah blah</i>
</body>
</html>
--end--
Regards,
--
Jonathan Rockway <jrockway (at) computer (dot) org [email concealed]>
Student - University of Illinois at Chicago
[ reply ]