Loading ...
Sorry, an error occurred while loading the content.

2455Re: [webalizer] Re: cross-site-scripting

Expand Messages
  • Bradford L. Barrett
    Jan 14, 2004
    • 0 Attachment
      > > > Thanks. This works. I do have access control for who can read the
      > > > reports.
      > >
      > > Access control does not prevent cross-site scripting :(
      >
      > I suppose I don't really understand what cross-site scripting means.
      > The change to isurlchar() is ony to webalizer, nothing is changed on
      > the Apache server side.
      >
      > You mentioned something about someone sending bogus query string to
      > make to the top 20. let us further assume someone else get to see
      > the report Webalizer makes. He sees that the URL with the bogus
      > query string. What then?

      See this CERT advisory: http://www.cert.org/advisories/CA-2000-02.html

      --
      Bradford L. Barrett brad@...
      A free electron in a sea of neutrons DoD#1750 KD4NAW

      The only thing Micro$oft has done for society, is make people
      believe that computers are inherently unreliable.
    • Show all 10 messages in this topic