False positive for password field with : aBC#$%12 [Archiv]

Archiv verlassen und diese Seite im Standarddesign anzeigen : False positive for password field with : aBC#$%12

zanfer

08.11.2010, 05:53

If i set the user password as : aBC#$%12
It will give :

2010-11-07T23:25:30-05:00,10,"id rfe xss","REQUEST.login.txtUserPassword=aBC%23%24%2512 POST.login.txtUserPassword=aBC%23%24%2512","%2Fweb%2Findex.php%2Fadmin%2FredhatUserList"

Is this the accepted behavior?

.mario

08.11.2010, 15:44

Yep - the %12 is being considered to be a ctrl character in urlencdoed form - just ignore ;)