Re: Cross-Site Scripting in PlumTree?

From: Marshal (marshal@marshal-soft.com)
Date: 01/07/02 

Date: Mon, 07 Jan 2002 00:59:20 +0100
From: Marshal <marshal@marshal-soft.com>
To: "Oliver, Todd" <cto@intellithought.com>

at your local vendor...securityfocus :-)
http://www.securityfocus.com/archive/1/138297

a nice url with some links to more information.

grt marshal

Oliver, Todd wrote:

>Where could I obtain solid documentation on Cross-Site Scripting
>vulnerabilities and how they work and what kind of exposures they
>create?
>
>Thanks
>
>
>Todd
>
>-----Original Message-----
>From: Ed Moyle [mailto:emoyle@scsnet.csc.com]
>Sent: Friday, January 04, 2002 2:33 PM
>To: vuln-dev@securityfocus.com
>Subject: Cross-Site Scripting in PlumTree?
>
>
>Hi.
>
>Anybody know about cross-scripting in PlumTree? I happened to notice
>this while I was at the plumtree-hosted demonstration site
>(portal.plumtree.com.) It appears as if plumtree portal ships by
>default some error page (error.asp) that parrots back the message that
>appears as part of the request URI. This error page seems to recieve an
>argument that is a textual description of the error that is shown to the
>user on the resulting page...
>
>In the below example, <plumtreeserver> should point to the plumtree
>server (obviously), and <portalname> should be the directory for the
>portal. For example, you might have a plumtree server called
>"portal.domain.dom" and the first directory was called "portal"...
>
>http://>/<portalname>/common/error.asp?UserID=2&Descripti
>on=%3CSCRIPT%20LANGUAGE%3DJAVASCRIPT%3Ealert%28%22Cross-Script%22%29%3B%
>3C/script%3e
>
>(seems to work w/ IE, but is not tested on Netscape.)
>
>Does anybody know if PlumTree has a procedure to fix this posted
>somewhere? -E
>

Relevant Pages

  • RE: Cross-Site Scripting in PlumTree?
    ... Where could I obtain solid documentation on Cross-Site Scripting ... Anybody know about cross-scripting in PlumTree? ... and <portalname> should be the directory for the ... "portal.domain.dom" and the first directory was called "portal"... ...
    (Vuln-Dev)
  • RE: Cross-Site Scripting in PlumTree?
    ... Subject: Cross-Site Scripting in PlumTree? ... Where could I obtain solid documentation on Cross-Site Scripting ... and <portalname> should be the directory for the ... "portal.domain.dom" and the first directory was called "portal"... ...
    (Vuln-Dev)
  • RE: Cross-Site Scripting in PlumTree?
    ... > Subject: Cross-Site Scripting in PlumTree? ... > Anybody know about cross-scripting in PlumTree? ... and <portalname> should be the directory for the ... you might have a plumtree server called ...
    (Vuln-Dev)
Quantcast