If you are using MSIE, here is something to check out : have a look at my Flickr Profile, and compare with another profile. If you are not using MSIE, here is what you are missing : Skinning Flickr with an XSS exploit.
Updated May 27th : Flicker admins fixed this issue so the exploit is no longer possible with MSIE. I'm such a good person sometimes :) Look at the screenshot and explanations anyway :)
Most of the time, scripts running on servers filter out this kind of trick, because it allows execution of unwanted, possibly malicious, remote code. But most of the time also, scripts don't check every possibility of XSS filter evasion (really interesting read, a bit scary even :)
What I did here is the following :
- First, I created an extra CSS file for Flickr. Ok, it's not the prettiest layout you can dream of for Flickr, but heh, I was more on the "proof of concept" :)
- Now, what I wanted to do was adding in my Flickr Profile the following image :
This would replace Flickr's CSS location with mine.
- xss.css';" width=0 height=0>
- And voilÃ
Ok, I'm now warning Flickr's admins about this or they might just kill my account :-P Done, and they fixed it.
Want to share or tweet this post? Please use this short URL: http://ozh.in/6l