[Zope-dev] New: Cross Site Scripting vulnerability
Andy McKay
andym@ActiveState.com
Sun, 23 Sep 2001 16:57:59 -0700
What does this have to do with Zope? Its down to an individual application.
----- Original Message -----
From: "ALife" <buginfo@inbox.ru>
To: <Zope-Dev@zope.org>
Sent: Sunday, September 23, 2001 10:23 AM
Subject: [Zope-dev] New: Cross Site Scripting vulnerability
>
> Example:
>
> http://www.zope.org/Documentation/<SCRIPT>alert(document.domain)</SCRIPT>
> http://www.zope.org/lalalalal<SCRIPT>alert(document.domain)</SCRIPT>
> http://www.zope.org/<SCRIPT>alert(document.cookie)</SCRIPT>
>
> For example, an attacker might post a message like
>
> Hello message board. This is a message.
> <SCRIPT>malicious code</SCRIPT>
> This is the end of my message.
>
> When a victim with scripts enabled in their browser reads this
> message, the malicious code may be executed unexpectedly.
> Scripting tags that can be embedded in this way include <SCRIPT>,
> <OBJECT>, <APPLET>, and <EMBED>.
>
>
>
> _______________________________________________
> Zope-Dev maillist - Zope-Dev@zope.org
> http://lists.zope.org/mailman/listinfo/zope-dev
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope )
>