XSS on demo
Brad Fitzpatrick
brad at danga.com
Mon May 23 09:02:31 PDT 2005
Thanks, fixed.
I had a bunch of FIXMEs in the javascript code for things like "Lookup
JavaScript's _____-escape function". But I guess there is no HTML escape
function, so I had to write one.
BTW, your Java OpenID server isn't setting up the return-to URL properly.
With the classic version (where my return-to URL includes ?style=classic),
you're sending my browser to;
http://www.danga.com/openid/demo/helper.bml%3Fstyle%3Dclassic?openid.mode=id_res&openid.assert_identity=http://itzu.homedns.org:82/&openid.sig=MCwCFAEBimexKHHcjvBAJjLtt3vz5bRGAhR8KSnkCFetOzICoo/sDs2jV1bqOw==&openid.timestamp=2005-05-23T17:00:24+0100
And my webserver is correctly saying:
The requested URL /openid/demo/helper.bml?style=classic was not found on
this server.
You have a little too much escaping going on there. (I assume you doing
the DSA signature and asserting that I'm you is just a test... :-))
- Brad
On Mon, 23 May 2005, Ken Horn wrote:
> fyi, the http error line (if I return a 500, say), is echo'd exactly on
> the demo page -- ie cross site scriptable.
>
> _______________________________________________
> yadis mailing list
> yadis at lists.danga.com
> http://lists.danga.com/mailman/listinfo/yadis
>
>
More information about the yadis
mailing list