Last week-end, I’ve discovered a security hole at pssst!, a small Quebecois forum. The comments appear on the same page as the submission fields (post, username, password), and you can (well, you could) put whatever you want in the comments, including Javascript. So I’ve hidden in a comment a script that installed an event triggered by the Submit button that sends to my server the username and password posted, and I got all the usernames/passwords of people who posted after my comment. It was not a very technical hack but nobody thought about it before me.

This entry was posted on Thursday, August 22nd, 2002 at 8:00 pm by Olivier and is filed under Olivier. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.