<<< Date Index >>>     <<< Thread Index >>>

echalk vuln




echalk is a service that makes advanced websites for schools. alot of them have 
online classes student email systems and homework checks. my school uses echalk 
and i found this vuln on their site. in echalk's search form it blocks out most 
html and javascript but if you use &lt;script&gt;<img 
src=javascript:somejavacommand />&lt;/script&gt;
it actually  shows an image icon that contains javascript. this vuln can be 
used to submit any javascript command you want to the site.this can be fixed by 
not allowing any < characters in the search forum.

-hypnosses