Interesting People mailing list archives

IP: Cross-site scripting still a threat Risks Digest 21.22

From: Dave Farber <dave () farber net>
Date: Sat, 27 Jan 2001 08:21:33 -0500

Date: Tue, 23 Jan 2001 14:51:14 -0500
From: Michael Sims <jellicle () inch com>
Subject: Cross-site scripting still a threat

News.com (CNET) unveiled today a fresh new look to their site.  The two
major innovations appear to be:

a) huge, garish advertisements
b) cross-site scripting vulnerabilities

The new site accepts URL variables - user input - for page titles and
headlines in the pages. This allows users with a moderate degree of savvy to
"write your own CNET headlines", or write your own javascript to be executed
from CNET's pages.

You can publicize URLS like this:

http://news.cnet.com/news/topic/0-1003-249-0.html?title=CNET%20Editors%20Agree:%20Slashdot%20is%20a%20better%20news%20site%20than%20News.com&topic=slashdot

or this:




For archives see: http://www.interesting-people.org/

Current thread:

IP: Cross-site scripting still a threat Risks Digest 21.22 Dave Farber (Jan 27)
- <Possible follow-ups>
- IP: Cross-site scripting still a threat Risks Digest 21.22 Dave Farber (Jan 27)