O'Reilly WebBoard 4.10.30 JavaScript code execution problem

From: Helmuth Antholzer (helliat_private)
Date: Sat Jun 02 2001 - 10:00:36 PDT

Next message: XR Agent: "fpf module and packet fragmentation:local/remote DoS."

Previous message: Roman Drahtmueller: "SuSE Security Announcement: gpg/GnuPG (SuSE-SA:2001:020)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I found following problem in the WebBoard:
 The Board has a paging function. User A can send a message to user B. User
B gets a javascript popup (produced with alert()) with the message from user
A.
The problem is that user A can close the alert() function and so he can
execute his javascript code on user B's machine.

Example of a message wich executes my code:
\');for(i=0;i<100000;i++) alert("not nice"); //

There is a function that escapes the ' but if i escape it it will be escaped
a second time ... the effect is that then the \ will escaped and the alert
is closed. so after that i can put my code! // (comment) this comment is
needed becaus there is still a '); from the alert, with the help of the
commen this will not produce an error.

greets helli

Next message: XR Agent: "fpf module and packet fragmentation:local/remote DoS."
Previous message: Roman Drahtmueller: "SuSE Security Announcement: gpg/GnuPG (SuSE-SA:2001:020)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 04 2001 - 09:08:45 PDT