[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Youtube xss

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Youtube xss
From: rafael.gomes@xxxxxxx
Date: Sun, 04 Jul 2010 21:39:54 -0300

They already fixed this! I tried.
-- 
Rafael Gomes via Webmail
Analista de Segurança
LPIC-1 MCSO
DISUP/CPD/UFBA
Tel : +55 71 3283 6100


Citando Christopher Grant <chrisgrantmail@xxxxxxxxx>:

> See http://www.youtube.com/watch?v=0xFbldgYVwQ for an example. It would
> appear that including something along the lines of "*
> <script>IF_HTML_FUNCTION?*" followed by your payload in a comment bypasses
> youtube's xss defenses. Pretty big hole eh?
> - Chris
>



----------------------------------------------------------------
Universidade Federal da Bahia - http://www.portal.ufba.br

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Youtube xss
  - From: Christopher Grant

Prev by Date: [Full-disclosure] [SECURITY] [DSA 2059-2] New pcsc-lite packages fix regression
Next by Date: [Full-disclosure] [HITB-Announce] HITB Magazine Issue 003 + HITBSecConf2010 - Amsterdam
Previous by thread: [Full-disclosure] Youtube xss
Next by thread: [Full-disclosure] [SECURITY] [DSA 2059-2] New pcsc-lite packages fix regression
Index(es):
- Date
- Thread