[CentOS] Apache mod_perl cross site scripting vulnerability

Wed Aug 12 13:01:30 UTC 2015
Прокси <proxy-one at mail.ru>

On 2015-Aug-12 05:17, Ellen Shull wrote:
> On Wed, Aug 12, 2015 at 3:39 AM, Proxy One <proxy-one at mail.ru> wrote:
> > Is there way to use curl for testing? I'm getting new line because of
> > the single quote inside string and escaping it with back slash gives me
> > bash: syntax error near unexpected token `<'
> 
> You can use curl's -K option which lets you stick arguments in a file,
> helpful for getting around shell quoting nightmares.  For example make
> a file named test-url-file which contains the line
> url = http://www.mydomain.com/[bad stuff, don't want this message
> tripping over some filter for containing a malicious-looking URL]
> 
> then do curl -g -K test-url-file
> 
> Note that just gets you around shell interpretation; curl does some of
> its own as well.  the -g switch I used there disables its
> interpretation of {}[] as special globbing characters.  If you put the
> url in double quotes then not only do you have to escape any double
> quotes in the string, it also starts interpreting backslash sequences
> so you have to double all backslashes--so oddly it's best to just
> leave quotes off.

Thanks, it works! I was able to reproduce problem and was able to see
how my changes affected response from the server.