design5 at softflow.co.uk
Thu Jun 26 03:08:01 CDT 2008
snippets from the HTML source:
<form action='/Cookbook/Cookbook?action=edit&'><script>alert("XSS")</script>' method='post'
in FF, which automatically cleans the url input:
<form action='/Cookbook/Cookbook?action=edit&%27%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E' method='post'
I tested on my own website and got a HTTP 406 "Not Acceptable"
response page, apparently because the url is filtered by Apache
module mod_auth_passthrough. The <script> seems to have triggered
this. That does not mean that it is safe though.
More information about the pmwiki-devel