On Oct 6, 2006, at 10:35 AM, Clinton Gormley wrote:
I'm testing my current site for XSS vulnerabilities, and I came across
this one on:
http://ha.ckers.org/xss.html
well, not MP related but
if you let users embed flash / etc in profile pages, make sure you
strip object tags -- just use the embed
also add
allowScriptAccess="never"
allownetworking="internal"
without that, you can use getURL from within flash to call arbitrary
code
most social networks have. but i *think* friendster still hasn't
done it yet.. there's a popular hack amongst east-asian teens right
now to include a flash file onto their profile pages that includes an
external JS which alters the DOM tree to skin it any-which-way they
want.
// Jonathan Vanasco
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - -
| FindMeOn.com - The cure for Multiple Web Personality Disorder
| Web Identity Management and 3D Social Networking
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - -
| RoadSound.com - Tools For Bands, Stuff For Fans
| Collaborative Online Management And Syndication Tools
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - -
