[Freeciv-Dev] Re: [Metaserver] scripting security hole (PR#1424)
[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
On Wed, May 01, 2002 at 10:29:47AM -0700, Stefan Schnetter wrote:
> > This is causing the browser to make a request for the file, so you will
> > only be able to force it to grab files it can already grab.
> You can readout e.g. Mozilla stored password file (or something else) of
> every visitor and send it anywhere. My test exploit just display files (and it
> dont work because it dont execute local).
>
> > The metaserver shouldn't allow tags, but this isn't a security problem.
> I am not a script kiddie or a security expert so i dont know an other
> exploit that can really make damage.
>
> It is possible to abuse it and if someone knows a danger exploit e.g. that
> access server files - then it is a security problem.
Nothing gets executed on the server. The problem is on the client end.
As a workaround we can disallow/escape HTML in /metainfo strings
as you suggest, or even add a /metaurl command to support URLs.
--
Reinier
|
|
