|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 50
Members: 0
Total: 50
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
Meta tags exploit |
|
Posted: Sat Jul 17, 2004 8:32 pm |
|
|
Harry |
Regular user |
|
|
Joined: May 20, 2004 |
Posts: 14 |
|
|
|
|
|
|
|
Many sites allow you to use html tags viz in Guestbooks, feedbacks, topsites etc. This can easily be exploited to redirect the entire webpage to whatever site/page you want.
Proof of concept:
Sign up for a topsites where you are allowed to use html tags in site description & use the followeing tag:
<meta http-equiv="refresh" content="1;URL=http://harry-inc.com"> to redirect the entire page to your site
Solution: Disable HTML tags |
|
|
|
|
|
Re: Meta tags exploit |
|
Posted: Sun Jul 18, 2004 10:13 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Harry wrote: |
Solution: Disable HTML tags
|
Harder way is to allow some html tags, like <b>, <u>, etc.
But this needs bulletproof sanitizing code |
|
|
|
|
www.waraxe.us Forum Index -> All other security holes
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|