Why wouldn't this just be a redirect performed from the
webpage. redirect always occur through the client browser,
hence this would explain the behavior. Microsoft has a url
format you can do the exact same thing with on their site..
someone was sending around a "funny" link that looked like
ms's site, and the url was formed in a similiar fashion. So
you clicked on a url to ms's site and were brought to a
page seemingly from microsoft touting mozilla.
On 18 Aug 2004 08:04:44 -0000
<ramatkal@hotmail.com> wrote:
During a recent Application pen test I came across a url
of the form:
http://www.vulnsite.com/cgi-bin/vulnscript.jsp?url=www.website.com&id=12345
I changed the url parameter to something like
url=www.google.com and google appeared in my browser.
Next, i changed the url to url=www.whatismyip.com, hoping
that the ip address of the webserver would be displayed,
however, only my ip address was displayed.
This means that my browser is loading the url parameter
as opposed to the webserver script fethching the url and
then displaying it for me in my browser right? Is this a
security issue?
Assuming that it was the actual webserver script fetching
the url parameter and then displaying it for me, I've
come up with a few vulnerabilities (listed below) and was
hoping that people might like to share some of their
ideas.
1) Can use vulnsite as a proxy (& hack other sites)
2) Can port scan using the vuln site by changing
url=www.website.com to url=www.sitetoscan.com:port
3) Can connect to & port scan machines behind the
firewall.
Thanks in adance,
Sol
---------------------------------------------------------------------
Web mail provided by NuNet, Inc. The Premier National provider.
http://www.nni.com/
