Divine OpenMarket Content Server XSS

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Divine OpenMarket Content Server XSS
From: "Valgasu" <valgasu@xxxxxxxxxx>
Date: Fri, 3 Oct 2003 23:47:21 +0200
Cc: <support@xxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20031002213942.GA29891@xxxxxxx>

Content Server is a web content management from Divine (www.divine.com)
A Cross Site Scripting in this product allows injection of hostile
HTML/script
into the error page.

Example :
http://www.mouffleton.com/servlet/ContentServer?pagename=<body%20onload=alert(document.cookie);>

Workaround :
Catch error and display a standard error page without echo of the file name.

Valgasu
http://valgasu.rstack.org
http://www.rstack.org

References:
- Webmails + Internet Explorer can create unwanted javascript execution
  - From: Jedi/Sector One

Prev by Date: Cisco 6509 switch telnet vulnerability
Next by Date: Cobalt RaQ Control Panel Cross Site Scripting
Previous by thread: RE: Webmails + Internet Explorer can create unwanted javascript execution
Next by thread: Re: Webmails + Internet Explorer can create unwanted javascript execution
Index(es):
- Date
- Thread