Re: Novell GroupWise WebAccess error modules loading
The injection of scripts seems not to be possible because the required
tags <script> and </script> are filtered/replaced.
I found a similar hole in a piece of proprietary software that we use
at work (advisory pending, the vendor is trying to push patches to
other users).
Basically, the software filtered all input that had both a < and a >
(but not just a <). So I injected:
<body onload="alert('Security hole.')"
This resulted in a dialog box that said "Security hole." WITHOUT any
script tags (or indeed, without any well-formed HTML at all!).
I would be interested to hear whether or not Novell GroupWise filters
things like the above example.
Here's a full HTML file that, if loaded in Safari or Firefox, will
produce a dialog box:
--start--
<html><body>
Here is some text.
<!-- injected characters -->
<body onload="alert('Security hole!')"
<!-- end injected characters -->
<i>Blah blah blah</i>
</body>
</html>
--end--
Regards,
--
Jonathan Rockway <jrockway@xxxxxxxxxxxx>
Student - University of Illinois at Chicago