Closed
Bug 154029
Opened 22 years ago
Closed 22 years ago
HTML directory indexer doesn't html-escape url
Categories
(Core :: Security: CAPS, defect)
Core
Security: CAPS
Tracking
()
VERIFIED
DUPLICATE
of bug 154030
People
(Reporter: bbaetz, Assigned: bbaetz)
References
()
Details
As reported by ptrs-ejy@bp.iij4u.or.jp to the security group, the uri (which is added to the page) isn't html escaped: <quote> + Exploit code: ~~~~~~~~~~~~~~~~~ <a href="ftp://'FTPserver' or 'FTP+HTTPserver'/#%3C%2ftitle%3E%3Cscript%3Ealert(%22exploit%22);%3C%2fscript%3E">Exploit</a> </quote> (You need to add a valid ftp server in there) Patch coming
Assignee | ||
Comment 1•22 years ago
|
||
Oops - double submit. *** This bug has been marked as a duplicate of 154030 ***
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
Updated•22 years ago
|
Group: security?
VERIFIED/dupe.
Status: RESOLVED → VERIFIED
Component: Networking: FTP → Security: CAPS
QA Contact: benc → bsharma
You need to log in
before you can comment on or make changes to this bug.
Description
•