Hi Marcin,
On Nov 18, 2009, at 14:37 , Marcin Hanclik wrote:
>>> One could request an
>>> image that is redirected to
>>> http://address/of/image?put+a+complete+script+here
>>> and then evaluate the query.
> Ok, but then it will still be processed as image and will result in an
> invalid image, I think.
Not so. Consider the following piece of Perl:
#!/usr/bin/perl
print "Location: img.png?alert('I am evil!')\n\n";
And the following HTML:
<!DOCTYPE html>
<iframe src='img.pl' id='pl'></iframe>
<script>
window.onload = function () {
eval(unescape(document.getElementById("pl").contentDocument.location.search.substring(1)));
}
</script>
This produces the expected alert. No script was ever exchanged, and I get the
image to display perfectly fine.
--
Robin Berjon - http://berjon.com/
