[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Subject: IP: Cross-site scripting still a threat Risks Digest 21.22
>Date: Tue, 23 Jan 2001 14:51:14 -0500 >From: Michael Sims <jellicle@inch.com> >Subject: Cross-site scripting still a threat > >News.com (CNET) unveiled today a fresh new look to their site. The two >major innovations appear to be: > >a) huge, garish advertisements >b) cross-site scripting vulnerabilities > >The new site accepts URL variables - user input - for page titles and >headlines in the pages. This allows users with a moderate degree of savvy to >"write your own CNET headlines", or write your own javascript to be executed >from CNET's pages. > >You can publicize URLS like this: > >http://news.cnet.com/news/topic/0-1003-249-0.html?title=CNET%20Editors%20Agree:%20Slashdot%20is%20a%20better%20news%20site%20than%20News.com&topic=slashdot > >or this: For archives see: http://www.interesting-people.org/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Powered by eList eXpress LLC