BugTraq
Back to list
|
Post reply
Novell GroupWise WebAccess error modules loading
Jan 17 2005 04:42PM
Marc Ruef (maru scip ch)
(1 replies)
Re: Novell GroupWise WebAccess error modules loading
Jan 19 2005 02:55AM
Jonathan Rockway (jrockw2 uic edu)
> The injection of scripts seems not to be possible because the required
> tags <script> and </script> are filtered/replaced.
I found a similar hole in a piece of proprietary software that we use
at work (advisory pending, the vendor is trying to push patches to
other users).
Basically, the software filtered all input that had both a < and a >
(but not just a <). So I injected:
<body onload="alert('Security hole.')"
This resulted in a dialog box that said "Security hole." WITHOUT any
script tags (or indeed, without any well-formed HTML at all!).
I would be interested to hear whether or not Novell GroupWise filters
things like the above example.
Here's a full HTML file that, if loaded in Safari or Firefox, will
produce a dialog box:
--start--
<html><body>
Here is some text.
<!-- injected characters -->
<body onload="alert('Security hole!')"
<!-- end injected characters -->
<i>Blah blah blah</i>
</body>
</html>
--end--
Regards,
--
Jonathan Rockway <jrockway (at) computer (dot) org [email concealed]>
Student - University of Illinois at Chicago
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
> The injection of scripts seems not to be possible because the required
> tags <script> and </script> are filtered/replaced.
I found a similar hole in a piece of proprietary software that we use
at work (advisory pending, the vendor is trying to push patches to
other users).
Basically, the software filtered all input that had both a < and a >
(but not just a <). So I injected:
<body onload="alert('Security hole.')"
This resulted in a dialog box that said "Security hole." WITHOUT any
script tags (or indeed, without any well-formed HTML at all!).
I would be interested to hear whether or not Novell GroupWise filters
things like the above example.
Here's a full HTML file that, if loaded in Safari or Firefox, will
produce a dialog box:
--start--
<html><body>
Here is some text.
<!-- injected characters -->
<body onload="alert('Security hole!')"
<!-- end injected characters -->
<i>Blah blah blah</i>
</body>
</html>
--end--
Regards,
--
Jonathan Rockway <jrockway (at) computer (dot) org [email concealed]>
Student - University of Illinois at Chicago
[ reply ]