Hi Prashant,
AFAIK there's no solution with FF as it uses Content-Type header to get
the right plugin/parser.
You could try to rename abc.txt to abc.php%00.txt (or whatever extension
the server will interpret) and upload it.
When it'll be downloaded, %00 will become a null char so the latter .txt
could be discarded resulting in a abc.php.
If it doesn't works try with double encoding. abc.php%2500.txt just in
case multiple layers/functions are present in the data flow.
Regards
Stefano
Il giorno mar, 24/04/2007 alle 23.19 -0700, prashant k v ha scritto:
> Hello,
>
> i have a web site with upload fucntionality, users can use site to
> upload .txt files.
> user can access files directly eg:- www.mysite.com/abc.txt
>
> the problem is, if there is a text like
> <script>alert('hello');</script> in tht .txt file and if someone opens
> the file in IE the script gets executed, which should not happen.
>
> i am using Apache http server 2.0.59 and IE 7. this problem dosen
> occur in mozilla, <script>alert('hello');</script> is displayed as it
> is
>
> can anyone help me solve this
>
> Regards
> Prashant
>
>
> ______________________________________________________________________
> Ahhh...imagining that irresistible "new car" smell?
> Check out new cars at Yahoo! Autos.
> _______________________________________________
> Webappsec mailing list
> Webappsec_at_lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/webappsec
--
...oOOo...oOOo....
Stefano Di Paola
Software & Security Engineer
Web: www.wisec.it
..................
Received on Apr 25 2007
Intro
