Is this a security leck, what do you mean?

Michael Schwarz on Wednesday, January 28, 2004

The last months there are a lot of discussions about the SCRIPT tag in WYSIWIG HTML editors. A lot of companies allow the user to add SCRIPT code to their guestbook, auctions, weblogs... If you add a script that is using the URL Spoofing bug you can collect private data or change the website.

Now, after there are a lot of news in the media companies changed their editors and forbit the tag SCRIPT to prevent hacks to their website. But yesterday I found another problem. If you allow HTML tags you can build following HTML code to allow scripting:

<SPAN onmouseover="my javascript code"> <P>Here comes my real article...</P> </SPAN>

If someone is using this with the URL Spoofing bug they can change f.e. the link to the login page. They use their own website which will be the same layout than the other page. You will enter your user credentials and they will collect these values before be redirected to the real login page.

If you can see the image below this text the embedded script has been executed. Otherwise move the cursor over this article. (Note: This script only changes the location of an image, no dangerous code!)

<a href=""><img id="myImage" src="" border="0"></a>