Bugtraq mailing list archives
Re: Input Validation Vulnerability in Apple Safari version 1.2.4 v125.12
From: Nicolas Gregoire <ngregoire () exaprobe com>
Date: Sat, 05 Feb 2005 11:49:06 +0100
Le vendredi 04 février 2005 à 06:10 -0600, Jonathan Rockway a écrit :
https://tigger.uic.edu/htbin/perlwrap-auth/jrockw2/safari_test.pl
An other test page is located here : http://nicob.net/cgi-bin/content-type.cgi
The security problem is that servers serving HTML may be taking measures to prevent XSS attacks; i.e. they convert < to <. These servers, when serving plain text, may not do this (because it is unnecessary and undesirable)
Some Oracle webapps are doing exactly that : sending content with a text/html content-type and not bothering to escape HTML or JavaScript tags. -- Nicolas Gregoire ----- Consultant en Sécurité des Systèmes d'Information ngregoire () exaprobe com ------[ ExaProbe ]------ http://www.exaprobe.com/ PGP KeyID:CA61B44F FingerPrint:1CC647FF1A55664BA2D2AFDACA6A21DACA61B44F
Current thread:
- Input Validation Vulnerability in Apple Safari version 1.2.4 v125.12 Jonathan Rockway (Feb 04)
- Re: Input Validation Vulnerability in Apple Safari version 1.2.4 v125.12 Nicolas Gregoire (Feb 05)