{"id":286,"date":"2005-05-23T23:34:53","date_gmt":"2005-05-23T22:34:53","guid":{"rendered":"http:\/\/frenchfragfactory.net\/ozh\/?p=286"},"modified":"2007-05-08T16:11:36","modified_gmt":"2007-05-08T14:11:36","slug":"cross-site-scripting-skinning-flickr-with-msie","status":"publish","type":"post","link":"https:\/\/planetozh.com\/blog\/2005\/05\/cross-site-scripting-skinning-flickr-with-msie\/","title":{"rendered":"Cross Site Scripting : Skinning Flickr with MSIE"},"content":{"rendered":"

If you are using MSIE, here is something to check out : have a look at my Flickr Profile<\/a>, and compare with another profile<\/a>. If you are not using MSIE,<\/strike> here is what you are missing : Skinning Flickr with an XSS exploit<\/a>.<\/p>\n

Updated May 27th : Flicker admins fixed this issue so the exploit is no longer possible with MSIE. I'm such a good person sometimes :) Look at the screenshot and explanations anyway :)<\/p>\n


\n\"Cross<\/p>\n

The concept is the following : MSIE allows img tags with a javascript src. For example, the following is valid in MSIE and would pop a message box.<\/p>\n

\n\n\t\t
\n\n\t\t
\n\t\t\t\t\t\t< View plain text<\/span> ><\/a>\n\t\t\t\t\t<\/div>\n\n\t\t
HTML<\/div>\n\n\t\t\n\t\t
\n\n\t<\/div>\n\t\n\t
\n\t\t
  1. <img<\/span> src<\/span>=<\/span>"javascript:alert('hello');"<\/span>><\/span><\/div><\/li>\n<\/ol>\t<\/div>\n\n<\/div>\n\n

    Most of the time, scripts running on servers filter out this kind of trick, because it allows execution of unwanted, possibly malicious, remote code. But most of the time also, scripts don't check every possibility of XSS filter evasion<\/a> (really interesting read, a bit scary even :)<\/p>\n

    What I did here is the following :<\/p>\n