[WEB SECURITY] script inside .txt file
Ory Segal
osegal at watchfire.com
Wed Apr 25 03:49:49 EDT 2007
Hi,
The problem is probably that your web server returns the file contents
with a certain "Content-Type" that is treated as HTML by the browser.
According to you description, it sounds as if Apache is returning the
file with "Content-Type: text/plain", which is not parsed as HTML by
Mozilla (hence no pop-up), but for some reason that is beyond me,
Microsoft IE renders it as HTML.
Take a look at this: http://support.microsoft.com/kb/329661
and:
http://www.howtocreate.co.uk/wrongWithIE/?chapter=Content-type%3A+text%2
Fplain
Hope this helps,
-Ory
________________________________
From: prashant k v [mailto:kvprashant at yahoo.com]
Sent: Wednesday, April 25, 2007 9:08 AM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] script inside .txt file
Hello,
i have a web site with upload fucntionality, users can use site to
upload .txt files.
user can access files directly eg:- www.mysite.com/abc.txt
the problem is, if there is a text like
<script>alert('hello');</script> in tht .txt file and if someone opens
the file in IE the script gets executed, which should not happen.
i am using Apache http server 2.0.59 and IE 7. this problem dosen occur
in mozilla, <script>alert('hello');</script> is displayed as it is
can anyone help me solve this
Regards
Prashant
________________________________
Ahhh...imagining that irresistible "new car" smell?
Check out new cars at Yahoo! Autos.
<http://us.rd.yahoo.com/evt=48245/*http://autos.yahoo.com/new_cars.html;
_ylc=X3oDMTE1YW1jcXJ2BF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDbmV3LWNhcnM
->
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20070425/fe824b9b/attachment.html>
More information about the websecurity
mailing list