lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20041123045044.15166.qmail@www.securityfocus.com> Date: 23 Nov 2004 04:50:44 -0000 From: kevin anonymous <undergroundwars@...il.com> To: bugtraq@...urityfocus.com Subject: echalk vuln echalk is a service that makes advanced websites for schools. alot of them have online classes student email systems and homework checks. my school uses echalk and i found this vuln on their site. in echalk's search form it blocks out most html and javascript but if you use <script><img src=javascript:somejavacommand /></script> it actually shows an image icon that contains javascript. this vuln can be used to submit any javascript command you want to the site.this can be fixed by not allowing any < characters in the search forum. -hypnosses