httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 58599] Self XSS Leading to Extremely simple DoS
Date Sun, 08 Nov 2015 20:38:09 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=58599

pablo <pabstersac@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|INVALID                     |---
             Status|RESOLVED                    |REOPENED

--- Comment #2 from pablo <pabstersac@gmail.com> ---
Ok(In reply to Eric Covener from comment #1)
> Security reports belong in email to security@apache.org. You'll need to
> describe something more concrete in terms of inputs and outputs.

ok, the input is basically just changing the url for
javascript:document.write(0); while the website is loading. Or you can put
3.3.3.3 when you are in the website in the url and then
javascript:document.write(0);. What happens is that then you go to a blank page
with 0 there but the url is the same as the website and the website will keep
on  loading, since the input expected by the website is to index.html (for
example) to be loaded and instead there is only a blank page with 0 it will
keep on trying it until it happens, which is never or when i refresh the
website, this is just an example of why this might be, this is because you
allow the user to put in javascript: but also the way you load the website must
have something disfunctioning or that has a vulnerability that allows a remote
attacker to create an infinite loop or dos, such as in this case. If this is
not enough then tell me what i should put.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message