Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Youtube xss

From: rafael.gomes () ufba br
Date: Sun, 04 Jul 2010 21:39:54 -0300
They already fixed this! I tried.
-- 
Rafael Gomes via Webmail
Analista de Segurança
LPIC-1 MCSO
DISUP/CPD/UFBA
Tel : +55 71 3283 6100


Citando Christopher Grant <chrisgrantmail () gmail com>:


See http://www.youtube.com/watch?v=0xFbldgYVwQ for an example. It would
appear that including something along the lines of "*
<script>IF_HTML_FUNCTION?*" followed by your payload in a comment bypasses
youtube's xss defenses. Pretty big hole eh?
- Chris





----------------------------------------------------------------
Universidade Federal da Bahia - http://www.portal.ufba.br

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: