[31967] in bugtraq
Divine OpenMarket Content Server XSS
daemon@ATHENA.MIT.EDU (Valgasu)
Fri Oct 3 18:56:31 2003
Message-ID: <007e01c389f9$0069c6a0$0202020a@x>
From: "Valgasu" <valgasu@rstack.org>
To: <bugtraq@securityfocus.com>
Cc: <support@divine.com>
Date: Fri, 3 Oct 2003 23:47:21 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content Server is a web content management from Divine (www.divine.com)
A Cross Site Scripting in this product allows injection of hostile
HTML/script
into the error page.
Example :
http://www.mouffleton.com/servlet/ContentServer?pagename=<body%20onload=alert(document.cookie);>
Workaround :
Catch error and display a standard error page without echo of the file name.
Valgasu
http://valgasu.rstack.org
http://www.rstack.org
