thanks Sandy. good to know. larry
On 10/14/05, Sandy Clark <[EMAIL PROTECTED]> wrote: > Its actually an IE error, > > IE will allow javascript to be run within css script tags, mozilla won't. > The writer split the word javascript across two lines to fool myspace's > scrubbing code and then used XMLHTTPRequest. > > CFMX7.01 wouldn't have helped. > > -----Original Message----- > From: Larry C. Lyons [mailto:[EMAIL PROTECTED] > Sent: Friday, October 14, 2005 9:58 AM > To: CF-Community > Subject: Re: Cross-Site Scripting Worm Hits MySpace > > interesting small hack. I wonder if it would have worked if they used CFMX > 7.01. > > larry > > On 10/14/05, Kevin Graeme <[EMAIL PROTECTED]> wrote: > > http://www.betanews.com/article/CrossSite_Scripting_Worm_Hits_MySpace/ > > 1129232391 > > > > "One clever MySpace <http://www.myspace.com/> user looking to expand > > his buddy list recently figured out how to force others to become his > > friend, and ended up creating the first self-propagating cross-site > > scripting (XSS) worm. In less than 24 hours, "Samy" had amassed over 1 > > million friends on the popular online community." > > > > "To do this without a user's knowledge, the code utilized XMLHTTPRequest" > > > > Whee. > > > > -Kevin > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:5:177079 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/5 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:5 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.5 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
