[21330] in bugtraq
RE: Multiple Vendor Java Servlet Container Cross-Site Scripting V
daemon@ATHENA.MIT.EDU (Cook, Justin S. (Schmidt))
Tue Jul 3 16:19:35 2001
Message-ID: <1127EAFA189AD41182400090278935CAA8098C@schexch1.taylorcorp.com>
From: "Cook, Justin S. (Schmidt)" <JSCook@schmidt.com>
To: "'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com>
Date: Tue, 3 Jul 2001 07:47:14 -0500
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
This same vulnerability seems to be partially evident for CFServer(at least
version 4.5).
Using the following code:
default.cfm
-----------
<html>
<head>
<title>CFML Cross-site Scripting Vulnerability Testing</title>
<script language="javascript" src="extra.js"></script>
</head>
</html>
extra.js
---------
/* does nothing */
function foo() {
var bar="foo";
return bar;
}
if you do a reqest in your browser for
http://domain/default.cfm/<script>alert(document.domain)
You can see that the JS is at least paritally interpreted because it shows
up in the IE errors. If viewed in netscape, you see that there is a syntax
error with the first tag(in this case <html>).
IE Error:
Line: 4
Char: 1
Error: Syntax Error
Code: 0
URL: http://domain/default.cfm/<script>alert(document.domain)
NS 4.7 Error:
JavaScript Error:
http://domain/default.cfm/extra.js,
line 3:
syntax error.
<html>
^
Quite odd results actually. It only seems to work when you call out for an
external javascript file.
Justin Cook
Work: jscook@schmidt.com
Home: jsc@themes.org / jcook@k-lug.org
