Welcome to MobyThreads.com!
FAQFAQ      ProfileProfile    Private MessagesPrivate Messages   Log inLog in
All support for the MobyThreads Threaded phpBB MOD can now be found on welsolutions at this forum

[NEWS] Emerging XSS Vulnerabilities in html Log Viewers

  
   Web Hosting and Web Master Forums (Home) -> Apache RSS
Next:  Apache 2.x Active Directory Authentication  
Author Message
nospam173

External


Since: Jul 02, 2003
Posts: 52



(Msg. 1) Posted: Sun Jul 20, 2003 8:15 pm
Post subject: [NEWS] Emerging XSS Vulnerabilities in html Log Viewers
Archived from groups: alt>apache>configuration (more info?)
Thought this to be of interest to the group.

http://isc.incidents.org/analysis.html?id=182

"On March 4th, security researchers Hugo Vazquez Caram & Toni Cortés
Martínez of Infohacking Research, Barcelona, Spain, posted
vulnerability information to bugtraq demonstrating what they call
"ILLC" (Inverse Lookup Log Corruption) on multiple html log
analyzers. They provide examples of attacks that successfully
accomplish Log "IP Spoofing", code injection and hiding
requests. Their work describes a method for sending XSS malicious code
in a domain name returned to information systems performing
inverse/reverse DNS lookups. Their research also covered an additional
XSS exploit and raised DNS issues."

The link goes into more detail about IP Spoofing and Apache 1.3.27.
I'm not sure if this issue has been addressed in any way with the
recent release of 1.3.28; I can't see any reference to it in the
change log. However, the problem seems to exist more at a
configuration level than a bug in Apache.

Regards,
TOG

--
../configure --prefix=~/zyterion
Not this guy or that guy, The Other Guy.

"If you're not thoroughly confused by now, then you just
don't understand the situation."

 >> Stay informed about: [NEWS] Emerging XSS Vulnerabilities in html Log Viewers 
Back to top
Login to vote
Display posts from previous:   
Related Topics:
Apache2.0.47 can't get index.html.var working - Hi, i upgraded from a apache1 to a apache 2.0.47. Since then, i am not able to view documents in the right language. This doesn't work too in the default /manual section from apache (default installation). I always get the page like: URI: index.html.d...

Apache HTML Header Injection - Hi, Does anyone know of a way that I can inject some html code into the header of every html document requested from my Linux Apache Web Server. I am developing a very simple PHP/Mysql company intranet and would like an easy way to insert the company..

VirtualHosts and Absolute addressing in HTML - Hi, I'm up to my knees in crocodiles on this, and rapidly forgetting that my original intention was to drain the swamp. I'm using Apache 1.3.27 (installed using PHPDev 4) to maintain a number of Web sites. I use my local PC for development only (not as...

Apache not displaying index.html.en - Hey all, Just installed Apache 2. When i type http://server/manual - i get a 404 If i type http://server/manual/index.html.en it works, and shows the index page. Also, any link from the index page fails, because the links are to ..html but the files..
   Web Hosting and Web Master Forums (Home) -> Apache All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]