Bugtraq mailing list archives
Re: Hotmail security vulnerability - injecting JavaScript using <STYLE> tag
From: smiths () TIAC NET (Richard M. Smith)
Date: Tue, 14 Sep 1999 21:54:22 -0400
Hello,
This is actually more than just another hotmail glitch. Many (all?) web services are doing things wrong:
Yes, the problem with JavaScript enitities (ie, &{<expression>};) happens all of over the Web. Here are some places that I have found where it is possible to inject JavaScript code into Web pages: 1. Most Web Email services 2. Most Web message board software 3. Most guest book software 4. Yahoo profiles (this has now been fixed) 5. Techstocks Web board messages. 6. Some search engine result pages 7. eBay auction postings 8. Netcenter (now fixed) Basically a JavaScript enitity can be added to the end of any URL for an image or a link. When the page is displayed, the code in the enitity is executed. Pretty much any Web site that allows user supplied information can have the problem. Richard
Current thread:
- Re: Hotmail security vulnerability - injecting JavaScript using <STYLE> tag Metal Hurlant (Sep 14)
- Re: Hotmail security vulnerability - injecting JavaScript using <STYLE> tag Richard M. Smith (Sep 14)