Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

XSS in lycos htmlgear guestbook

From: Pistone <jorgep () spdps com ar>
Date: Mon, 15 Jul 2002 14:32:24 -0300
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


 URL:  Htmlgear.lycos.com
 
 If a malicious user can get the guestbook user to follow
 a simple link, then they can grab that users htmlgear
 cookies and possibly use them to authenticate as that
 user.
 
 
 WORKING EXAMPLE

http://htmlgear.lycos.com/guest/control.guest?u=usuario3&i=1&a=view<scripta
lert(document.cookie)</script

 the support of lycos receives a copy of the problem
 
 
 Salu"
 
 Pistone
 - -----------------
 www.gauchohack.com.ar
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9MwcyY47Vx76lNPkRApjSAJ9DlpPy4yanxPXKPdy4AGpujFqjeACgoIA2
rixgTR3+M3K29PtPNmGHNEg=
=2z2c
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: