Interesting People mailing list archives
IP: Cross-site scripting still a threat Risks Digest 21.22
From: Dave Farber <dave () farber net>
Date: Sat, 27 Jan 2001 08:21:33 -0500
Date: Tue, 23 Jan 2001 14:51:14 -0500 From: Michael Sims <jellicle () inch com> Subject: Cross-site scripting still a threat News.com (CNET) unveiled today a fresh new look to their site. The two major innovations appear to be: a) huge, garish advertisements b) cross-site scripting vulnerabilities The new site accepts URL variables - user input - for page titles and headlines in the pages. This allows users with a moderate degree of savvy to "write your own CNET headlines", or write your own javascript to be executed from CNET's pages. You can publicize URLS like this: http://news.cnet.com/news/topic/0-1003-249-0.html?title=CNET%20Editors%20Agree:%20Slashdot%20is%20a%20better%20news%20site%20than%20News.com&topic=slashdot or this:
For archives see: http://www.interesting-people.org/
Current thread:
- IP: Cross-site scripting still a threat Risks Digest 21.22 Dave Farber (Jan 27)
- <Possible follow-ups>
- IP: Cross-site scripting still a threat Risks Digest 21.22 Dave Farber (Jan 27)