Home page logo
  • Nmap Security Scanner
  • Security Lists
  • Security Tools
  • Site News
  • Advertising
  • About/Contact
  • Sponsors:



/

fulldisclosure logo Full Disclosure mailing list archives

Re: Youtube xss
From: rafael.gomes () ufba br
Date: Sun, 04 Jul 2010 21:39:54 -0300
They already fixed this! I tried.
-- 
Rafael Gomes via Webmail
Analista de Segurança
LPIC-1 MCSO
DISUP/CPD/UFBA
Tel : +55 71 3283 6100


Citando Christopher Grant <chrisgrantmail () gmail com>:


See http://www.youtube.com/watch?v=0xFbldgYVwQ for an example. It would
appear that including something along the lines of "*
<script>IF_HTML_FUNCTION?*" followed by your payload in a comment bypasses
youtube's xss defenses. Pretty big hole eh?
- Chris





----------------------------------------------------------------
Universidade Federal da Bahia - http://www.portal.ufba.br

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Youtube xss Christopher Grant (Jul 04)
    • Re: Youtube xss rafael . gomes (Jul 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]