Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Servers :: b06-1492.htm

Cherokee Webserver XSS
XSS Bug in Cherokee Webserver
XSS Bug in Cherokee Webserver

Tuesday 4 of April of 2006, I have detected that it is possible to mount an attack of the type Cross Site Scripting (XSS) in cherokee-0.5.0 and all previous versions.

The problem resides, when introducing code HTML in the URL. Because previously, it was let now of a seemed failure, from version 0.4.8 filter the characters < > when an error 404 happens. But if cherokee does not understand the request (Error 400) gives back the string introduced by the user, without no modification, allowing that can be injected I code HTML, to the client.

Proofs of concepts: http://localhost:80 http://localhost/..

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH