[25198] in bugtraq
Re: Cross site scripting @verisign.com and @cybercash.com
daemon@ATHENA.MIT.EDU (zeno)
Sat Apr 20 16:34:26 2002
From: zeno <bugtraq@cgisecurity.net>
Message-Id: <200204191834.g3JIYVi13264@cgisecurity.net>
To: dotslash@snosoft.com (KF)
Date: Fri, 19 Apr 2002 14:34:31 -0400 (EDT)
Cc: websitesupport@verisign.com, support@verisign.com, recon@snosoft.com,
vuln-dev@security-focus.com, bugtraq@security-focus.com
In-Reply-To: <no.id> from "KF" at Apr 19, 2002 12:38:16 PM
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
>
> http://www.cybercash.com/<script>alert('hi')</script>
>
> or
>
> http://www.verisign.com/ <http://www.cybercash.com/><script>alert('hi')</script>
>
> Not sure how big a deal this is... but seeing as how the name verisign
> is associated with "Security" I think it should be looked at. This
> didn't work from my Mozilla browser on linux but it did from IE on
> win2k... could be a browser detection method causing the varied results.
> -KF
>
Because of the popularity of XSS/CSS holes I have written a FAQ on the subject. Should be out in a week
or so. If anyone has questions about cross site scripting throw me an email and I'll maybe add it to
the faq.
- zeno@cgisecurity.com
>
>
