On Oct 6, 2006, at 10:35 AM, Clinton Gormley wrote:
I'm testing my current site for XSS vulnerabilities, and I came across this one on: http://ha.ckers.org/xss.html
well, not MP related butif you let users embed flash / etc in profile pages, make sure you strip object tags -- just use the embed
also add allowScriptAccess="never" allownetworking="internal"without that, you can use getURL from within flash to call arbitrary code
most social networks have. but i *think* friendster still hasn't done it yet.. there's a popular hack amongst east-asian teens right now to include a flash file onto their profile pages that includes an external JS which alters the DOM tree to skin it any-which-way they want.
// Jonathan Vanasco| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| FindMeOn.com - The cure for Multiple Web Personality Disorder | Web Identity Management and 3D Social Networking| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| RoadSound.com - Tools For Bands, Stuff For Fans | Collaborative Online Management And Syndication Tools| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.