echalk vuln

From: kevin anonymous (undergroundwars_at_gmail.com)
Date: 11/23/04

  • Next message: Hernan Racciatti: "IPFront - Release"
    Date: 23 Nov 2004 04:50:44 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    echalk is a service that makes advanced websites for schools. alot of them have online classes student email systems and homework checks. my school uses echalk and i found this vuln on their site. in echalk's search form it blocks out most html and javascript but if you use &lt;script&gt;<img src=javascript:somejavacommand />&lt;/script&gt;
    it actually shows an image icon that contains javascript. this vuln can be used to submit any javascript command you want to the site.this can be fixed by not allowing any < characters in the search forum.

    -hypnosses


  • Next message: Hernan Racciatti: "IPFront - Release"