echalk vuln
echalk is a service that makes advanced websites for schools. alot of them have
online classes student email systems and homework checks. my school uses echalk
and i found this vuln on their site. in echalk's search form it blocks out most
html and javascript but if you use <script><img
src=javascript:somejavacommand /></script>
it actually shows an image icon that contains javascript. this vuln can be
used to submit any javascript command you want to the site.this can be fixed by
not allowing any < characters in the search forum.
-hypnosses