Full Disclosure mailing list archives
Re: Youtube xss
From: rafael.gomes () ufba br
Date: Sun, 04 Jul 2010 21:39:54 -0300
They already fixed this! I tried. -- Rafael Gomes via Webmail Analista de Segurança LPIC-1 MCSO DISUP/CPD/UFBA Tel : +55 71 3283 6100 Citando Christopher Grant <chrisgrantmail () gmail com>:
See http://www.youtube.com/watch?v=0xFbldgYVwQ for an example. It would appear that including something along the lines of "* <script>IF_HTML_FUNCTION?*" followed by your payload in a comment bypasses youtube's xss defenses. Pretty big hole eh? - Chris
---------------------------------------------------------------- Universidade Federal da Bahia - http://www.portal.ufba.br _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Youtube xss Christopher Grant (Jul 04)
- Re: Youtube xss rafael . gomes (Jul 04)