Arbitroweb V0.6

GovernmentSecurity.org > The Archives > Exploit Articles

twistedps

Jun 22 2004, 04:58 PM

just submitted this to bugtraq, so ill post it here also

QUOTE

Vendor: ArbitroWeb v0.6
Website: http://sourceforge.net/projects/arbitroweb/
Problem: /?rawURL= allows javascription...
About: An anonymous web surfing proxy written in PHP. ArbitroWeb will redirect all web requests thru it's set of scripts, all URL's contained will be adjusted/mangled to it's own scripts.

CODE

example: a simple javascript alert..
http://site.com/?rawURL=<script>javascript: alert();</script>

could also be used maliciously, by something like...

http://site.com/?rawURL=<script>javascript: for (int i=0; i<100; i++) alert(4444444444444444444444444444);</script>
which would cause 100 popup alerts...

unfortuantly not much can be done since it filters the " character.. but it may be possible to get around..

still nonetheless, it should be fixed, and is a potential problem.

thanks to wehack.com since i was looking around their site at advisories and came upon this product...

- josh gilmour
joshg <at> conqwest <dot> com

lol i just rewrote it again, so it may differ from the actual bugtraq post...
tps-

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.