|
|
|
Re: XSS [message #24506 is a reply to message #24496] |
Fri, 29 April 2005 15:26   |
Cr00t
 Messages: 16 Registered: February 2003 Location: Russia
Karma: 0
|
Junior Member |
add to buddy list ignore all messages by this user
|
|
Ilia писал(а) Птн, 29 Апреля 2005 16:18 | ha? There is no XSS, the forum specifically checks for javascript in URL and img tags and preventsm it's usage, this has been there almost since version 1.0.
|
Yeap, there is a filter, like this:
if (strpos(strtolower($parms), 'javascript:') === false) {
but i can bypass it using special symbols, most of them in 16
if i type "javascrip&_#116;" (without "_" symbol) this filter works, but browser look at the code and execute "javascrip&_#116;" (without "_" symbol)!
::: don't gimme namez :::
|
|
|
|
|
|
|
Re: XSS [message #24521 is a reply to message #24520] |
Sun, 01 May 2005 00:55   |
Cr00t
 Messages: 16 Registered: February 2003 Location: Russia
Karma: 0
|
Junior Member |
add to buddy list ignore all messages by this user
|
|
Ilia писал(а) Сбт, 30 Апреля 2005 23:52 | Perhaps you made some modifications to the forum that altered the post processing behaviour.
|
what modifications? i have original forum, no hacks. Right now forum version is 2.6.12
::: don't gimme namez :::
|
|
|
|