Re: Hotmail security vulnerability - injecting JavaScript

From: Richard M. Smith (smithsat_private)
Date: Tue Sep 14 1999 - 18:54:22 PDT

Next message: Brock Tellier: "SCO 5.0.5 lpr local root exploit"

Previous message: Steve Fallin: "Re: Default configuration in WatchGuard Firewall"
Next in thread: Georgi Guninski: "Re: Hotmail security vulnerability - injecting JavaScript"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

> This is actually more than just another hotmail glitch. Many (all?) web
> services are doing things wrong:

Yes, the problem with JavaScript enitities (ie, &{<expression>};) happens
all of over the Web.  Here are some places that I have found where it is
possible to inject JavaScript code into Web pages:

     1.  Most Web Email services
     2.  Most Web message board software
     3.  Most guest book software
     4.  Yahoo profiles (this has now been fixed)
     5.  Techstocks Web board messages.
     6.  Some search engine result pages
     7.  eBay auction postings
     8.  Netcenter (now fixed)

Basically a JavaScript enitity can be added to the end of any URL
for an image or a link.  When the page is displayed, the code
in the enitity is executed.  Pretty much any Web site that allows
user supplied information can have the problem.

Richard

Next message: Brock Tellier: "SCO 5.0.5 lpr local root exploit"
Previous message: Steve Fallin: "Re: Default configuration in WatchGuard Firewall"
Next in thread: Georgi Guninski: "Re: Hotmail security vulnerability - injecting JavaScript"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:03:54 PDT