Bugtraq mailing list archives
phpReactor - Cross-Site Scripting via STYLE
From: "Matthew Murphy" <mattmurphy () kc rr com>
Date: Sat, 24 Aug 2002 12:40:25 -0500
phpReactor has recently been updated to eliminate several known cross-site scripting vulnerabilities. Among these changes was to reduce the tags allowed in posts, profiles, etc. down to B, I, and FONT. However, using the "STYLE" attribute, one can still defeat this: <b style="expression(alert(document.cookie))"> This won't work on all browsers (IE runs it, though) "The reason the mainstream is thought of as a stream is because it is so shallow." - Author Unknown
Current thread:
- phpReactor - Cross-Site Scripting via STYLE Matthew Murphy (Aug 26)