XSS in Slashcode

• Previous message: EnGarde Secure Linux: "[ESA-20020702-016] several vulnerabilities in the OpenSSH daemon"
• Next in thread: Jamie McCarthy: "Re: XSS in Slashcode"
• Reply: Jamie McCarthy: "Re: XSS in Slashcode"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There is a nasty Cross Site Scripting(XSS) vuln in
Slashcode. This was used a day or so go on
slashdot.org and resulted in most of the site being
taken down for an hour or so. The maintainers of
slashcode have patched the problem in CVS but have not
even mentioned it anywhere that I can find. This
leaves all sites using slash vulnerable to this
exploit.

An example exploit (incomplete) is as follows:

<p &gt; onMouseOver..insert javascript here...>

I am dissapointed that the slachcode maintainers have
silently fixed this on slashdot.org yet made no
mention of the problem elsewhere so that other sites
can patch themselves. No wonder there are so many
"trolls" on slashdot.org...ah well.

If you run a site using slashcode, get the latest CVS.

That is all. Move along. 


__________________________________________________
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com

• Next message: Nelson Brito: "RE: ftp.bitchx.org's ircii-pana-1.0c19.tar.gz is backdoored"
• Previous message: EnGarde Secure Linux: "[ESA-20020702-016] several vulnerabilities in the OpenSSH daemon"
• Next in thread: Jamie McCarthy: "Re: XSS in Slashcode"
• Reply: Jamie McCarthy: "Re: XSS in Slashcode"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 02 2002 - 06:21:55 PDT