[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Youtube xss

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Youtube xss
From: Christopher Grant <chrisgrantmail@xxxxxxxxx>
Date: Sun, 4 Jul 2010 21:57:50 +0800

See http://www.youtube.com/watch?v=0xFbldgYVwQ for an example. It would
appear that including something along the lines of "*
<script>IF_HTML_FUNCTION?*" followed by your payload in a comment bypasses
youtube's xss defenses. Pretty big hole eh?
- Chris

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Youtube xss
  - From: rafael . gomes

Prev by Date: Re: [Full-disclosure] Hiding Backdoors in plain sight
Next by Date: [Full-disclosure] [SECURITY] [DSA 2059-2] New pcsc-lite packages fix regression
Previous by thread: Re: [Full-disclosure] File Download and DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera
Next by thread: Re: [Full-disclosure] Youtube xss
Index(es):
- Date
- Thread