[24845] in bugtraq
JS embedding @ www.reed.co.uk
daemon@ATHENA.MIT.EDU (elaborate ruse)
Tue Mar 26 19:00:48 2002
Message-ID: <2935820023226231534984@trust-me.com>
Reply-To: advisories@elaboration.8bit.co.uk
From: "elaborate ruse" <elaborateruse@trust-me.com>
To: bugtraq@securityfocus.com
Cc: Alex.Silk@reed.co.uk
Date: Tue, 26 Mar 2002 17:15:34 -0600
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Title: JS embedding @ www.reed.co.uk
Date: 26.03.02
Author: elab (http://elaboration.8bit.co.uk)
Problem: Improper input validation during sign up process allows users to
embed JavaScript
Vendor Status: Contacted on: 17:00 GMT 14 March 02
Via: http://www.reed.co.uk/contact.asp
Response: Within 2 hours
Summary:
Due to improper input validation users are able to insert/embed
JavaScript in to certain form fields during the sign up
process.
Once the registration process is complete viewing the user's
profile will download and execute the embedded JS.
Solution:
The problem was fixed by the vendor within 5 working days of
it being reported.
Now when a user attempts to insert JavaScript in to the sign up
form they are be redirected to an error page.
Vendor:
The vendor was contacted on 17:00 GMT 14 March 02 via an online
contact form and replied within 2 hours with a professional and
friendly response.
Official vendor response:
"We are happy to acknowledge the part elab played in alerting
us to an absence of validation on one of our site's forms.
Although this was never exploited, and has now been corrected
on the site, we are most grateful to elab for pointing it out".
Credit:
Credit is given to the vendor for handling this issue in the
correct manner.
_____________________________________________
Free email with personality! Over 200 domains!
http://www.MyOwnEmail.com
