[pmwiki-devel] PITS/01030
Hans
design5 at softflow.co.uk
Thu Jun 26 03:08:01 CDT 2008
PS:
snippets from the HTML source:
in IE:
<form action='/Cookbook/Cookbook?action=edit&'><script>alert("XSS")</script>' method='post'
name='authform'>
in FF, which automatically cleans the url input:
<form action='/Cookbook/Cookbook?action=edit&%27%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E' method='post'
name='authform'>
I tested on my own website and got a HTTP 406 "Not Acceptable"
response page, apparently because the url is filtered by Apache
module mod_auth_passthrough. The <script> seems to have triggered
this. That does not mean that it is safe though.
Hans
More information about the pmwiki-devel
mailing list