Title: JS embedding @ www.reed.co.uk Date: 26.03.02 Author: elab (http://elaboration.8bit.co.uk) Problem: Improper input validation during sign up process allows users to embed JavaScript Vendor Status: Contacted on: 17:00 GMT 14 March 02 Via: http://www.reed.co.uk/contact.asp Response: Within 2 hours Summary: Due to improper input validation users are able to insert/embed JavaScript in to certain form fields during the sign up process. Once the registration process is complete viewing the user's profile will download and execute the embedded JS. Solution: The problem was fixed by the vendor within 5 working days of it being reported. Now when a user attempts to insert JavaScript in to the sign up form they are be redirected to an error page. Vendor: The vendor was contacted on 17:00 GMT 14 March 02 via an online contact form and replied within 2 hours with a professional and friendly response. Official vendor response: "We are happy to acknowledge the part elab played in alerting us to an absence of validation on one of our site's forms. Although this was never exploited, and has now been corrected on the site, we are most grateful to elab for pointing it out". Credit: Credit is given to the vendor for handling this issue in the correct manner. _____________________________________________ Free email with personality! Over 200 domains! http://www.MyOwnEmail.com
This archive was generated by hypermail 2b30 : Tue Mar 26 2002 - 15:54:16 PST