XSS on demo

Brad Fitzpatrick brad at danga.com
Mon May 23 09:02:31 PDT 2005


Thanks, fixed.

I had a bunch of FIXMEs in the javascript code for things like "Lookup
JavaScript's _____-escape function".  But I guess there is no HTML escape
function, so I had to write one.

BTW, your Java OpenID server isn't setting up the return-to URL properly.
With the classic version (where my return-to URL includes ?style=classic),
you're sending my browser to;

http://www.danga.com/openid/demo/helper.bml%3Fstyle%3Dclassic?openid.mode=id_res&openid.assert_identity=http://itzu.homedns.org:82/&openid.sig=MCwCFAEBimexKHHcjvBAJjLtt3vz5bRGAhR8KSnkCFetOzICoo/sDs2jV1bqOw==&openid.timestamp=2005-05-23T17:00:24+0100

And my webserver is correctly saying:

The requested URL /openid/demo/helper.bml?style=classic was not found on
this server.

You have a little too much escaping going on there.  (I assume you doing
the DSA signature and asserting that I'm you is just a test...  :-))

- Brad


On Mon, 23 May 2005, Ken Horn wrote:

> fyi, the http error line (if I return a 500, say), is echo'd exactly on
> the demo page -- ie cross site scriptable.
>
> _______________________________________________
> yadis mailing list
> yadis at lists.danga.com
> http://lists.danga.com/mailman/listinfo/yadis
>
>


More information about the yadis mailing list