Flexible Content Management System


Security hole by allowing html-signatures

Contributed by Thanks for pointing on Aug 01, 2001 - 10:01 PM

Some of you might ask now: Why would this be a security leak?

Well, have a look at my userpage. You can see a small gif with text around it that says Klicke hier für Hilfe.

Can you see it? Cool, I can see you too, because this is Javascript and it allows me to see your IP-address, the time you have spent looking at that particular page, the browser, version of the browser, platform, and the referrer. If you click on the picture, a chat window opens up, but if I would try to be really funny I could open up a chat-window as well from my side.

So, the security leak is:

  • By allowing anything with the src-attribute you open up a security hole.

  • Almost everything that is possible with Javascript can be done with your website. This includes:

    • A violation of the privacy of your website's members

    • Unwanted windows might open up

    • Someone could claim with my example script to be part of the staff of the website and ask for a password or do any other harm to the visitors of your site

So please don't allow all html-tags. :)

Greetings from the sunny Germany!


P.S.: Please don't delete my account here, I will take off my javascript-signature after a few days so that everyone has had enough time to test this - I promise I won't do any harm to your websites visitors nor will I monitor them! :)