NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Full-Disclosure> 2002-q3

From: Matthew Murphy (mattmurphy_at_kc.rr.com)
Date: Sat Sep 14 2002 - 15:23:54 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

A vulnerability exists in the W3C HTML validator that allows for cross-site
scripting. I haven't really studied the impacts of this much, but it could
be used (in theory) to gain access to the member area data for the user (the
member area uses Basic authentication):

http://validator.w3.org/check?charset=%28detect+automatically%29&doctype=%28
detect+automatically%29&uri=http%3A%2F%2F%3CSCRIPT%3Ealert%28document.URL%29
%3C%2FSCRIPT%3E

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]