Bugtraq mailing list archives
Re: Novell GroupWise WebAccess error modules loading
From: Jonathan Rockway <jrockw2 () uic edu>
Date: Tue, 18 Jan 2005 20:55:20 -0600
The injection of scripts seems not to be possible because the required tags <script> and </script> are filtered/replaced.
I found a similar hole in a piece of proprietary software that we use at work (advisory pending, the vendor is trying to push patches to other users).
Basically, the software filtered all input that had both a < and a > (but not just a <). So I injected:
<body onload="alert('Security hole.')"This resulted in a dialog box that said "Security hole." WITHOUT any script tags (or indeed, without any well-formed HTML at all!).
I would be interested to hear whether or not Novell GroupWise filters things like the above example.
Here's a full HTML file that, if loaded in Safari or Firefox, will produce a dialog box:
--start-- <html><body> Here is some text. <!-- injected characters --> <body onload="alert('Security hole!')" <!-- end injected characters --> <i>Blah blah blah</i> </body> </html> --end-- Regards, -- Jonathan Rockway <jrockway () computer org> Student - University of Illinois at Chicago
Current thread:
- Novell GroupWise WebAccess error modules loading Marc Ruef (Jan 19)
- Re: Novell GroupWise WebAccess error modules loading Jonathan Rockway (Jan 22)