[20846] in bugtraq
O'Reilly WebBoard 4.10.30 JavaScript code execution problem
daemon@ATHENA.MIT.EDU (Helmuth Antholzer)
Mon Jun 4 12:08:33 2001
Message-ID: <005f01c0eb85$8bf9de40$d822c0d5@hell>
From: "Helmuth Antholzer" <helli@dnet.it>
To: <bugtraq@securityfocus.com>
Date: Sat, 2 Jun 2001 19:00:36 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
I found following problem in the WebBoard:
The Board has a paging function. User A can send a message to user B. User
B gets a javascript popup (produced with alert()) with the message from user
A.
The problem is that user A can close the alert() function and so he can
execute his javascript code on user B's machine.
Example of a message wich executes my code:
\');for(i=0;i<100000;i++) alert("not nice"); //
There is a function that escapes the ' but if i escape it it will be escaped
a second time ... the effect is that then the \ will escaped and the alert
is closed. so after that i can put my code! // (comment) this comment is
needed becaus there is still a '); from the alert, with the help of the
commen this will not produce an error.
greets helli
