XSS is autoindex | patch included

Discussion in 'Bug Reports' started by felosi, Jul 23, 2007.

  1. felosi

    felosi New Member

    I sent you an email earlier george but looks like your server was having problems.
    Anyway there is an xss in autoindex, Some kiddy group made it, does not much more then give a popup but could probably be used to steal cookies or whatever. I dont know, not to keen on xss. Here is the original advisory
    Here is it live on a server I havent patched yet
    http://nig.felosi.info/_autoindex/default.php/%3E'%3E%3CScRiPt%3Ealert(document.domain)%3C/ScRiPt%3E

    After patch
    http://pr0be.net/_autoindex/default.php/%3E'%3E%3CScRiPt%3Ealert(document.domain)%3C/ScRiPt%3E

    So its still kinda not right but danger is gone.

    Me and my friends came up with a patch
    http://pr0be.net/files/default.php.txt

    I suppose it can still use a lil work but no more xss
    Last edited: Jul 23, 2007
  2. mistwang

    mistwang LiteSpeed Staff

    Actually, the advisory is for another open source autoindex script, we wrote our own.
    Anyway, we improve it based on the feed back, and make it impossible to be accessed directly.
  3. felosi

    felosi New Member

    Yeah, I wasnt sure if the advisory was the same as the string. Was what I was sent. But Im glad I could help and if I hear anything else Ill be the first to let you know

Share This Page