ISC^2 continues its string of nominations to the Wall O' Irony with these latest gems. Both isc2.com and cissp.com had cross-site scripting vulnerabilities posted to F-D.
[Full-disclosure] CISSP From: Bozo Bad (bozobad[at]gmail.com) Date: Mon Jun 18 2007 - 12:37:25 CDT http://www.cissp.com/store/search.asp?s=%3Cscript%3Ealert(%22Look,mamma, I'm a CISSP!%22)%3C/script%3E
[Full-disclosure] Todays Lesson - XSS From: Concerned CISSP (certifiedcissp[at]hotmail.com) Date: Thu Jun 14 2007 - 01:35:34 CDT Today's lesson, boys and girls is on Cross Site Scripting.... "An XSS attack relies on a website displaying text with-out checking whether it contains special characters. The client browser interprets the special characters as script instructions, and executes the script..." An example of an XSS attack: https://www.isc2.org/cgi-bin/cissp_completerecord.cgi?name"><script>alert(document.cookie);</script>&print=cpe Now that you've seen XSS... you can add one CPE to your CISSP record! Skinny Mongoose - CISSP shoutz to - $nip3r, P0p3, mkkna$ti.....