<<< Date Index >>>     <<< Thread Index >>>

Divine OpenMarket Content Server XSS



Content Server is a web content management from Divine (www.divine.com)
A Cross Site Scripting in this product allows injection of hostile
HTML/script
into the error page.

Example :
http://www.mouffleton.com/servlet/ContentServer?pagename=<body%20onload=alert(document.cookie);>

Workaround :
Catch error and display a standard error page without echo of the file name.

Valgasu
http://valgasu.rstack.org
http://www.rstack.org