Vulnerability Development mailing list archives
Re: Squid doesn't quote urls in error messages.
From: Lincoln Yeoh <lyeoh () POP JARING MY>
Date: Tue, 31 Oct 2000 09:34:06 +0800
At 12:16 PM 28-10-2000 +1100, Robert Collins wrote:
You have to get the browser to send non-escaped URI's for that to work.
Some Netscape browsers don't convert spaces to %20. But you don't need to rely on that. All you need to do is find some way of getting the Squid proxy to complain, and then it will send an error page with the url to you. For example you could try: http://nonexistentname.amazon.com/<script>alert(this.document.cookie)</script> Squid will then give you a "The requested URL could not be retrieved" page, and if you have javascript enabled you'll get an alert box.
What's the general consensus on this as a risk? Getting the exact unaltered url from squid is very useful for troubleshooting problems through squid. And Squid cannot change the url when it receives it - thats against rfc
I strongly agree, getting the exact unaltered url from squid can be useful. But if I'm getting one, I want an exact unaltered url from squid, not a full fledged autosubmitting form or fancy javascript bird flying around my cursor ;). It's a risk, especially to those who have javascript on. I believe there are already ways to exploit it. Even if there aren't any now, I'm sure Mr Georgi Guninski can come up one or two every couple of weeks ;). Cheerio, Link.
Current thread:
- Re: Squid doesn't quote urls in error messages. Lincoln Yeoh (Oct 31)
- Re: Squid doesn't quote urls in error messages. Robert Collins (Nov 01)
- Re: Squid doesn't quote urls in error messages. Lincoln Yeoh (Nov 02)
- Re: Squid doesn't quote urls in error messages. Robert Collins (Nov 01)