httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From matti matti <geono...@gmail.com>
Subject [users@httpd] XSS vulnerability in default (debian etch installation)?
Date Thu, 19 Mar 2009 20:47:10 GMT
Hi,

If I do in firefox try:
http://hostname/%3CScRipT%20%3Ealert(%27test%27)%3B%3C%2FScRipT%20%3E

I get a popup with the text "test", and a:

Not Found

The requested URL / was not found on this server.

I havent got many modules loaded, and added only virtualhosts. This does not
work in apache 2.0.x of CentOS 4.6.
Instead of taking this to debian mailinglist, Im asking here because Im very
curoius why this works, isnt this a XSS flaw of magnitude, or am I missing
something?

Thanks in advance,

Mime
View raw message