Re: Cross site scripting @verisign.com and @cybercash.comFrom: KF (email@example.com)
- Previous message: Kayne Ian (Softlab): "Mildly useful tool."
- Maybe in reply to: KF: "Cross site scripting @verisign.com and @cybercash.com"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 22 Apr 2002 09:31:55 -0400 From: KF <firstname.lastname@example.org> To: kristalaz <email@example.com>
No this IS a hole in their side becuase their server attempts to
generate an error message based on the url supplyed by the user... Also
someone else confirmed that there was an issue with this site in the
The issue you refer to is specific to the about: protocol... if I go to
any other http:// sites and append some java script I do not have the
same issue I get the standard 404 instead... the issue lies in the
generation of the error message on the cybercash.com side.
*The document you have requested does not exist on this system.* Please
check the URL and try again or use the site map below to find the
information you are looking for.
If you believe you have received this message in error, write to support
at firstname.lastname@example.org <mailto:email@example.com> . Include the
error code and brief description of what you were doing when you
received this error.
<----------------------------------- Problem lies here.
*Error:* 404 - Not Found
>I don4t think that this is a bug in theirs servers, because if you try this
>"about:<script>alert('hi')</script>" write in your adress at IE >4.0, you
>will see that its a IE bug, because this site is generated by browser
>Do You Yahoo!?
>Get your free @yahoo.com address at http://mail.yahoo.com