RE: Can you exploit this XSS?

["Scovetta, Michael V" <Michael.Scovetta () ca com>]

As I understand XSS, it is only exploitable when user A enters data that
user B views. XSS is moot when you can only do it to yourself, so screens
like that (a redirect), is just a convenience for the user. It should
still be properly clensed, but I don't see this being a true case of XSS,
more like JavaScript Injection.

Michael Scovetta
Application Developer
Computer Associates International, Inc.


-----Original Message-----
From: Paul Johnston [mailto:paul () westpoint ltd uk]
Sent: Wednesday, November 19, 2003 7:51 AM
To: vuln-dev () securityfocus com; rich () westpoint ltd uk
Subject: Can you exploit this XSS?


Hi,

While auditing a web app, I've found the site redirects not found pages 
to a login screen. This contains an element like:

<input type="hidden"  name="tageturl" value="XXX">

Now, the XXX bit is controlled by the user, and it seems the only 
characters escaped are " and & - i.e. 
<script>alert(document.cookie)</script> gets through (hence my tool 
alerted me).

Can this be exploited for XSS? I can't see how to immediately, but it 
seems possible.

Paul

-- 
Paul Johnston
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul () westpoint ltd uk
web: www.westpoint.ltd.uk