Full Disclosure mailing list archives
Abcnews.com - XSS in Stories by ZIP Code Feature
From: full-disclosure () lists netsys com (Matthew Murphy)
Date: Fri, 9 Aug 2002 18:22:30 -0500
Advisory WA-2002-01: Vulnerability in Abcnews.com Stories by ZIP Code Feature This is my first advisory in what will more than likely become a series of similar things on cross-site scripting at major web sites. When we think of XSS bugs, we think of typical things, search boxes, guestbooks, etc. "Stories by ZIP Code" was not on my list. :-) A vulnerability in the way this is handled at abcnews.com results because the box is not required to contain all-numerical data, and is allowed arbitrary length -- and, returned unfiltered when a search fails. The example URL here will cause a textarea to display below the box. Type in a JS command and double click to see it working: http://my.abcnews.go.com/localpageMainHandler?input=%22%3E%3CTEXTAREA+STYLE% 3Dheight%3A300px%3B+width%3D300px+ONDBLCLICK%3Deval%28this.value%29%3E%3C%2F TEXTAREA%3E&input.x=0&input.y=0 "The reason the mainstream is thought of as a stream is because it is so shallow." - Author Unknown
Current thread:
- Abcnews.com - XSS in Stories by ZIP Code Feature Matthew Murphy (Aug 09)