Loading ...
Sorry, an error occurred while loading the content.

2454Re: cross-site-scripting

Expand Messages
  • Weidong Wang
    Jan 14, 2004
    • 0 Attachment
      --- In webalizer@yahoogroups.com, "Bradford L. Barrett" <brad@m...>
      > > Thanks. This works. I do have access control for who can read the
      > > reports.
      > Access control does not prevent cross-site scripting :(

      I suppose I don't really understand what cross-site scripting means.
      The change to isurlchar() is ony to webalizer, nothing is changed on
      the Apache server side.

      You mentioned something about someone sending bogus query string to
      make to the top 20. let us further assume someone else get to see
      the report Webalizer makes. He sees that the URL with the bogus
      query string. What then?

      Thanks for helping out.

    • Show all 10 messages in this topic