Re: Recent App Test

["Adam Tuliper" <amt () gecko-software com>]

Why wouldn't this just be a redirect performed from the
webpage. redirect always occur through the client browser,
hence this would explain the behavior. Microsoft has a url
format you can do the exact same thing with on their site..
someone was sending around a "funny" link that looked like
ms's site, and the url was formed in a similiar fashion. So
you clicked on a url to ms's site and were brought to a
page seemingly from microsoft touting mozilla. 


On 18 Aug 2004 08:04:44 -0000
 <ramatkal () hotmail com> wrote:
> During a recent Application pen test I came across a url
> of the form:
>  
http://www.vulnsite.com/cgi-bin/vulnscript.jsp?url=www.website.com&id=12345
>  
> I changed the url parameter to something like
> url=www.google.com and google appeared in my browser.
> Next, i changed the url to url=www.whatismyip.com, hoping
> that the ip address of the webserver would be displayed,
> however, only my ip address was displayed.
>
> This means that my browser is loading the url parameter
> as opposed to the webserver script fethching the url and
> then displaying it for me in my browser right? Is this a
> security issue?
>
>
> Assuming that it was the actual webserver script fetching
> the url parameter and then displaying it for me, I've
> come up with a few vulnerabilities (listed below) and was
> hoping that people might like to share some of their
> ideas.
>    
> 1) Can use vulnsite as a proxy (& hack other sites)
> 2) Can port scan using the vuln site by changing
> url=www.website.com to url=www.sitetoscan.com:port
> 3) Can connect to & port scan machines behind the
> firewall.
>  
>
> Thanks in adance,
> Sol

---------------------------------------------------------------------
Web mail provided by NuNet, Inc. The Premier National provider.
http://www.nni.com/