A guy from White Hat Security is quoted in the BetaNews article with an estimate that 90% of all Web sites are vulnerable to this sort of hack. Very few sites, though, have as many active users as MySpace. It's not that those guys were even negligent in their coding practices. This kid found a roundabout way to plant JS code that IE would execute.
It reminds me of why I originally downloaded NoScript for Firefox, because some sites- in order to defeat pop-up blockers- had taken to chopping up JS window.open commands into string parts, then concatenating the strings and evaluating the result. >On 10/14/05, Michael T. Tangorre <[EMAIL PROTECTED]> wrote: >> > From: Robert Munn [mailto:[EMAIL PROTECTED] >> > f-ing script kiddies. >> >> More like, "fucking shitty coders!" > >Easy for you to say. I'll bet we all have production code in place >right now that are vulnerable to something like this. The only reason >this happened to myspace.com and not us is because myspace.com is very >high profile. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:5:177115 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/5 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:5 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.5 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
