ramatkal@hotmail.com wrote:
During a recent Application pen test I came across a url of the form:
http://www.vulnsite.com/cgi-bin/vulnscript.jsp?url=www.website.com&id=12345
I changed the url parameter to something like url=www.google.com and google
appeared in my browser. Next, i changed the url to url=www.whatismyip.com,
hoping that the ip address of the webserver would be displayed, however, only
my ip address was displayed.
This means that my browser is loading the url parameter as opposed to the
webserver script fethching the url and then displaying it for me in my browser
right? Is this a security issue?
Basically this means that someone could include undesirable content as
part of that site. e.g. send someone a link to the company's site, that
includes some pornographic/racist/etc content. The original person will
think that the original site is serving that content, and reputational
damage will result.
Note that this is NOT the webserver retrieving the page, and relaying it
to you, your browser is fetching the page. So, you cannot use this to
anonymously portscan hosts on the internet. You probably CAN use this to
do cross site scripting, if you explore reformatting the URL, and
including some HTML or script elements in that parameter.
Look at the exact response to that request, using something like
webscarab or another intercepting proxy, and see exactly where the url
parameter is placed in the response. That will guide you in manipulating
the parameters appropriately.
Rogan
--
Rogan Dawes
*ALL* messages to discard@dawes.za.net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"
