[thelist] [tip] Macromedia even forgets (encoding user input)
Nelson Rodriguez-Pena
nelson at webstudio.cl
Thu Jun 26 17:02:07 CDT 2003
Hi jd,
>>
>>Are you saying that you can exploit a vulnerability in the Macromedia site
>>itself? If so, what steps-to-repro can I relay to the web team to make the
>>problem happen? Thanks.
when that message was sent I checked it and confirmed that it was real and
inmediatly reported it in MM's site. Didn't get a response, though.
I found that
http://www.macromedia.com/cfusion/search/index.cfm
didn't encode input, so it should be possible to make a XSS attack. The
original used a meta injection to redirect to another page.
BTW, nice to see you here JD, I was a long time reader of Direct-L, Lingo-L
and other Director related lists :)
regards,
------------------------------------------------------------
Nelson Rodriguez-Pena A.
Diseno y Desarrollo Web y Multimedia
nelson at webstudio.cl
------------------------------------------------------------
More information about the thelist
mailing list