PostNuke

Flexible Content Management System

News

Security hole by allowing html-signatures

Contributed by Thanks for pointing on Aug 01, 2001 - 10:01 PM

Some of you might ask now: Why would this be a security leak?







Well, have a look at my userpage. You can see a small gif with text around it that says Klicke hier für Hilfe.






Can you see it? Cool, I can see you too, because this is Javascript and it allows me to see your IP-address, the time you have spent looking at that particular page, the browser, version of the browser, platform, and the referrer. If you click on the picture, a chat window opens up, but if I would try to be really funny I could open up a chat-window as well from my side.








So, the security leak is:













  • By allowing anything with the src-attribute you open up a security hole.







  • Almost everything that is possible with Javascript can be done with your website. This includes:







    • A violation of the privacy of your website's members







    • Unwanted windows might open up







    • Someone could claim with my example script to be part of the staff of the website and ask for a password or do any other harm to the visitors of your site





















So please don't allow all html-tags. :)







Greetings from the sunny Germany!







Sascha







P.S.: Please don't delete my account here, I will take off my javascript-signature after a few days so that everyone has had enough time to test this - I promise I won't do any harm to your websites visitors nor will I monitor them! :)
581