Re: [Zope-dev] New: Cross Site Scripting vulnerability

Andy McKay Sun, 23 Sep 2001 16:44:42 -0700
What does this have to do with Zope? Its down to an individual application.

----- Original Message ----- 
From: "ALife" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, September 23, 2001 10:23 AM
Subject: [Zope-dev] New: Cross Site Scripting vulnerability


> 
> Example:
> 
> http://www.zope.org/Documentation/<SCRIPT>alert(document.domain)</SCRIPT>
> http://www.zope.org/lalalalal<SCRIPT>alert(document.domain)</SCRIPT>
> http://www.zope.org/<SCRIPT>alert(document.cookie)</SCRIPT>
> 
> For  example, an attacker might post a message like
> 
>         Hello message board. This is a message.
>                <SCRIPT>malicious code</SCRIPT>
>         This is the end of my message.
> 
>     When a victim with scripts enabled  in their  browser reads this
> message,  the  malicious  code   may  be  executed   unexpectedly.
>     Scripting tags that can be embedded in this way include <SCRIPT>,
> <OBJECT>, <APPLET>, and <EMBED>.
> 
> 
> 
> _______________________________________________
> Zope-Dev maillist  -  [EMAIL PROTECTED]
> http://lists.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists - 
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope )
> 


_______________________________________________
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] New: Cross Site Scripting vulnerability

Reply via email to
