问题描述

在引用/xsp/.ibmmodres/XSP/Domino 资源时，似乎可以在 get 请求中注入 javascript.

It seems possible to inject javascript in a get request, when refering to the /xsp/.ibmmodres/ XSP/Domino resources.

通常，当您在 .nsf/资源中尝试此操作时，您会获得正确的默认或自定义错误页面，而不会出现 XSS.特殊字符被替换.

Normally, when you try this at .nsf/ resources, you get a correct default or custom errorpage without XSS possibilities. Special characters are substituted.

示例:- http://[server]/[path]/[dbname].nsf/%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

Example: - http://[server]/[path]/[dbname].nsf/%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

结果:HTTP Web 服务器:找不到设计元素

Result:HTTP Web Server: Cannot find design element

但参考/xsp/.ibmmodres/资源，它产生了 XSS 的可能性.

But refering to the /xsp/.ibmmodres/ resources, it yields XSS possibilities.

示例:

• http://[server]/[path]/[dbname].nsf/xsp/.ibmmodres/%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

结果:

• 我收到 404 错误页面无法加载未注册的资源/"

• I get a 404 errorpage "Cannot load unregistered resource /"

它执行 CSJS 并显示例如 DomAuthSessID !!

And it executes CSJS and shows for example DomAuthSessID !!

这怎么可能?有没有办法避免这种情况?请帮忙！

How is this possible?Is there a way to avoid this?Please help!

推荐答案

这是一篇关于如何避免这种情况的文章:

Here is an article about how to avoid this:

http://www.wissel.net/blog/d6plinks/SHWL-8XS3MY

这篇关于如何避免 XSP/Domino 跨站脚本漏洞?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！