[WEB SECURITY] script inside .txt file
osegal at watchfire.com
Wed Apr 25 03:49:49 EDT 2007
The problem is probably that your web server returns the file contents
with a certain "Content-Type" that is treated as HTML by the browser.
According to you description, it sounds as if Apache is returning the
file with "Content-Type: text/plain", which is not parsed as HTML by
Mozilla (hence no pop-up), but for some reason that is beyond me,
Microsoft IE renders it as HTML.
Take a look at this: http://support.microsoft.com/kb/329661
Hope this helps,
From: prashant k v [mailto:kvprashant at yahoo.com]
Sent: Wednesday, April 25, 2007 9:08 AM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] script inside .txt file
i have a web site with upload fucntionality, users can use site to
upload .txt files.
user can access files directly eg:- www.mysite.com/abc.txt
the problem is, if there is a text like
<script>alert('hello');</script> in tht .txt file and if someone opens
the file in IE the script gets executed, which should not happen.
i am using Apache http server 2.0.59 and IE 7. this problem dosen occur
in mozilla, <script>alert('hello');</script> is displayed as it is
can anyone help me solve this
Ahhh...imagining that irresistible "new car" smell?
Check out new cars at Yahoo! Autos.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity