echalk vuln

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: echalk vuln
From: kevin anonymous <undergroundwars@xxxxxxxxx>
Date: 23 Nov 2004 04:50:44 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


echalk is a service that makes advanced websites for schools. alot of them have 
online classes student email systems and homework checks. my school uses echalk 
and i found this vuln on their site. in echalk's search form it blocks out most 
html and javascript but if you use &lt;script&gt;<img 
src=javascript:somejavacommand />&lt;/script&gt;
it actually  shows an image icon that contains javascript. this vuln can be 
used to submit any javascript command you want to the site.this can be fixed by 
not allowing any < characters in the search forum.

-hypnosses

Prev by Date: Re: Changes to the filesystem while find is running - comments?
Next by Date: IPFront - Release
Previous by thread: [ GLSA 200411-31 ] ProZilla: Multiple vulnerabilities
Next by thread: IPFront - Release
Index(es):
- Date
- Thread