NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Secunia Advisories> 2003-q2

[sec-adv] Python Documentation Server Cross-Site Scripting

From: Secunia Security Advisories (sec-advsecunia.com)
Date: Fri Apr 04 2003 - 03:04:36 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

TITLE:
Python Documentation Server Cross-Site Scripting

READ ONLINE:
http://www.secunia.com/advisories/8511/

CRITICAL:
Less critical

IMPACT:
Cross Site Scripting

WHERE:
From remote

SOFTWARE:
Python 2.3
Python 2.2

DESCRIPTION:
A vulnerability in Python Documentation Server can be exploited by
malicious people to conduct Cross-Site Scripting attacks against
other visitors.

Due to an input validation error, it is possible to conduct a
Cross-Site Scripting attack against a visitor by constructing a
malicious link, which includes script code as a ressource.

Example:
http://[victim]:7464/[script_code]

When the link is clicked or a user visits a malicious website, the
script code will be executed in the user's browser session. This can
result in disclosure of various information (eg. cookie-based
authentication information) associated with the site running Python
Documentation Server or inclusion of malicious content, which the
user thinks is part of the real website.

NOTE: The vulnerability has been reported to affect version Python
2.2.2 and 2.3a2 for Win32.

SOLUTION:
Filter malicious characters in a HTTP proxy or firewall with URL
filtering capabilities.

REPORTED BY / CREDITS:
euronymous

ORIGINAL ADVISORY:
English:
http://f0kp.iplus.ru/bz/020.en.txt

Russian:
http://f0kp.iplus.ru/bz/020.ru.txt

----------------------------------------------------------------------

Secunia recommends that you verify all advisories you receive, by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

Contact details:
Web : http://www.secunia.com/
E-mail : supportsecunia.com
Tel : +44 (0) 20 7016 2693
Fax : +44 (0) 20 7637 0419

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories

----------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]