Home page logo

bugtraq logo Bugtraq mailing list archives

JS embedding @ www.reed.co.uk
From: "elaborate ruse" <elaborateruse () trust-me com>
Date: Tue, 26 Mar 2002 17:15:34 -0600

 Title:         JS embedding @ www.reed.co.uk
 Date:          26.03.02                
 Author:                elab (http://elaboration.8bit.co.uk)
 Problem:               Improper input validation during sign up process allows users to
                embed JavaScript
 Vendor Status: Contacted on:   17:00 GMT 14 March 02   
                Via:            http://www.reed.co.uk/contact.asp 
                Response:       Within 2 hours

                Due to improper input validation users are able to insert/embed
                JavaScript in to certain form fields during the sign up

                Once the registration process is complete viewing the user's
                profile will download and execute the embedded JS.

                The problem was fixed by the vendor within 5 working days of
                it being reported.
                Now when a user attempts to insert JavaScript in to the sign up
                form they are be redirected to an error page.

                The vendor was contacted on 17:00 GMT 14 March 02 via an online
                contact form and replied within 2 hours with a professional and
                friendly response.

                Official vendor response:

                "We are happy to acknowledge the part elab played in alerting
                us to an absence of validation on one of our site's forms.
                Although this was never exploited, and has now been corrected
                on the site, we are most grateful to elab for pointing it out".

                Credit is given to the vendor for handling this issue in the
                correct manner.

Free email with personality! Over 200 domains!

  By Date           By Thread  

Current thread:
  • JS embedding @ www.reed.co.uk elaborate ruse (Mar 27)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]