[37455] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

echalk vuln

daemon@ATHENA.MIT.EDU (kevin anonymous)
Tue Nov 23 14:01:01 2004

Date: 23 Nov 2004 04:50:44 -0000
Message-ID: <20041123045044.15166.qmail@www.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: kevin anonymous <undergroundwars@gmail.com>
To: bugtraq@securityfocus.com

echalk is a service that makes advanced websites for schools. alot of them have online classes student email systems and homework checks. my school uses echalk and i found this vuln on their site. in echalk's search form it blocks out most html and javascript but if you use &lt;script&gt;<img src=javascript:somejavacommand />&lt;/script&gt;
it actually  shows an image icon that contains javascript. this vuln can be used to submit any javascript command you want to the site.this can be fixed by not allowing any < characters in the search forum.

-hypnosses


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[37455] in bugtraq

echalk vuln

daemon@ATHENA.MIT.EDU (kevin anonymous)Tue Nov 23 14:01:01 2004

daemon@ATHENA.MIT.EDU (kevin anonymous)
Tue Nov 23 14:01:01 2004