I always keep a close eye on my log, so when I saw these entries my alarm bells rang!
He was nice enough to notify me of it - which is how we should all work. I am aware of XSS, but in this case there is really not much damage that can be done with it, unless you know someone who just logged into the site and you send them the link, and they actually click it, then you could send the contents of the cookie to another location. Still something to be fixed... Cause we don't want to leave ANY doors open ;-)) Taco Fleur Blog http://www.tacofleur.com/index/blog/ Methodology http://www.tacofleur.com/index/methodology/ 0421 851 786 Tell me and I will forget Show me and I will remember Teach me and I will learn > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Friday, 23 January 2004 10:54 AM > To: [EMAIL PROTECTED] > Subject: [WSG] Since you're a Taco fan... [Virus checkedAU] > > > > > > > > This email is to be read subject to the disclaimer below. > > His photo gallery has a nice cross-site scripting > vulnerability (I emailed him privately about it). But here's > the test URL I made, just for a laugh... > http://www.tacofleur.com/index/author/photo/?directory=%22%3E%3Cimg%20src=%2 2http://www.poster.net/simpsons-the/simpsons-the-homer-simpson-sitting-40014 43.jpg%22%20onload=%22alert('D\'oh!')%22%20alt=%22&file=D'oh! Viktor Radnai Web Developer Business Innovation Online Ernst & Young Australia http://www.eyware.com/ http://www.eyonline.com/ Direct: +612 9248 4361 Fax: +612 9248 4073 Mobile: +61408 662 546 -------------------- NOTICE - This communication contains information which is confidential and the copyright of Ernst & Young or a third party. If you are not the intended recipient of this communication please delete and destroy all copies and telephone Ernst & Young on 1800 655 717 immediately. If you are the intended recipient of this communication you should not copy, disclose or distribute this communication without the authority of Ernst & Young. Any views expressed in this Communication are those of the individual sender, except where the sender specifically states them to be the views of Ernst & Young. Except as required at law, Ernst & Young does not represent, warrant and/or guarantee that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference. Liability limited by the Accountants Scheme, approved under the Professional Standards Act 1994 (NSW) -------------------- ***************************************************** The discussion list for http://webstandardsgroup.org/ ***************************************************** ***************************************************** The discussion list for http://webstandardsgroup.org/ *****************************************************
