Hi
As per info given by you, the web server is just doing some thing of
this sort
<%
response.sendRedirect( request.getParameter( "url" ) );
%>
So in that case, your browser is making the request to the url. This is
just like clicking a href, so don't think anything more can come out of
this. Surely not the port scan etc...
One point though, if they are printing the URL from the request directly
(as in the code snippet above), then you have a possible candidate for
XSS.
Regards,
Steven Rebello
Mastek Limited,
"This email is printed using 100% recycled electrons."
-----Original Message-----
From: ramatkal@hotmail.com [mailto:ramatkal@hotmail.com]
Sent: Wednesday, August 18, 2004 1:35 PM
To: webappsec@securityfocus.com
Subject: Recent App Test
During a recent Application pen test I came across a url of the form:
http://www.vulnsite.com/cgi-bin/vulnscript.jsp?url=www.website.com&id=12
345
I changed the url parameter to something like url=www.google.com and
google appeared in my browser. Next, i changed the url to
url=www.whatismyip.com, hoping that the ip address of the webserver
would be displayed, however, only my ip address was displayed.
This means that my browser is loading the url parameter as opposed to
the webserver script fethching the url and then displaying it for me in
my browser right? Is this a security issue?
Assuming that it was the actual webserver script fetching the url
parameter and then displaying it for me, I've come up with a few
vulnerabilities (listed below) and was hoping that people might like to
share some of their ideas.
1) Can use vulnsite as a proxy (& hack other sites)
2) Can port scan using the vuln site by changing url=www.website.com to
url=www.sitetoscan.com:port
3) Can connect to & port scan machines behind the firewall.
Thanks in adance,
Sol
MASTEK
"Making a valuable difference"
Mastek in NASSCOM's 'India Top 20' Software Service Exporters List.
In the US, we're called MAJESCO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Opinions expressed in this e-mail are those of the individual and not that of
Mastek Limited, unless specifically indicated to that effect. Mastek Limited
does not accept any responsibility or liability for it. This e-mail and
attachments (if any) transmitted with it are confidential and/or privileged and
solely for the use of the intended person or entity to which it is addressed.
Any review, re-transmission, dissemination or other use of or taking of any
action in reliance upon this information by persons or entities other than the
intended recipient is prohibited. This e-mail and its attachments have been
scanned for the presence of computer viruses. It is the responsibility of the
recipient to run the virus check on e-mails and attachments before opening
them. If you have received this e-mail in error, kindly delete this e-mail from
all computers.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
