[26807] in bugtraq
phpReactor - Cross-Site Scripting via STYLE
daemon@ATHENA.MIT.EDU (Matthew Murphy)
Mon Aug 26 10:12:26 2002
Message-ID: <008901c24b95$54e06e80$e62d1c41@kc.rr.com>
From: "Matthew Murphy" <mattmurphy@kc.rr.com>
To: "BugTraq" <bugtraq@securityfocus.com>,
"Full Disclosure" <full-disclosure@lists.netsys.com>,
"SecurITeam News" <news@securiteam.com>,
"Vuln-Dev" <vuln-dev@securityfocus.com>,
"VulnWatch" <vulnwatch@vulnwatch.org>,
"VulnDiscuss" <vulndiscuss@vulnwatch.org>
Date: Sat, 24 Aug 2002 12:40:25 -0500
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
phpReactor has recently been updated to eliminate several known cross-site
scripting vulnerabilities. Among these changes was to reduce the tags
allowed in posts, profiles, etc. down to B, I, and FONT. However, using the
"STYLE" attribute, one can still defeat this:
<b style="expression(alert(document.cookie))">
This won't work on all browsers (IE runs it, though)
"The reason the mainstream is thought
of as a stream is because it is
so shallow."
- Author Unknown
