- From: Alex Russell <alex@dojotoolkit.org>
- Date: Fri, 14 Apr 2006 19:41:20 -0700
- To: public-webapi@w3.org
- Message-Id: <200604141941.23356.alex@dojotoolkit.org>
On Tuesday 11 April 2006 1:37 pm, Ian Hickson wrote: > On Tue, 11 Apr 2006, Maciej Stachowiak wrote: > > So, in itself, that might not be too bad an exploit. You can't get > > the Cookie or Authorization header, or document.cookie, so even if > > you find such a test script on a live server where users have login > > accounts. However, suppose there's a test script that also echoes > > back all the headers it sends in the body, some kind of debug mode > > maybe. Now you have something exploitable. > > Your script is getting somewhat complex now -- it needs to take GET > query parameters and convert them into HTTP headers and to echo all > its headers into the body as well. Does this ever happen? I've > written echo scripts myself but I can't think of any that are > vulnerable here. Perhaps not on their own, but attacks like "response splitting" which tends to affect poorly written proxies could easily induce this scenario. Regards -- Alex Russell alex@jot.com alex@dojotoolkit.org BE03 E88D EABB 2116 CC49 8259 CF78 E242 59C3 9723
Received on Monday, 17 April 2006 15:10:31 UTC