Excellent, good catch, when logged out it does indeed display the alert, I image it has to do with the 'next' property, which is not, I believe, escaped, as it is not entered into the DB or presented to any other user. So again, it begets the question: How is the XSS attack possible?
WARNING! cynical satire ahead! For those of you willing to succumb to an opt-in XSS attack: please reply to the list with a valid credit card number, expiration date, and CVV2 id (it is on the back next to the signature block) thank you;) -richard On 5/7/08, Jan Rademaker <[EMAIL PROTECTED]> wrote: > > It does work, make sure you're not logged in. > > $ lynx -source -dump > http://localhost:8000/admin/%22%3E%3Cscript%3Ealert%283939%29%3C/script%3E/ > | grep alert > <form action="/admin/"><script>alert(3939)</script>/" method="post" > id="login-form"> > > > On May 7, 9:10 pm, "James Bennett" <[EMAIL PROTECTED]> wrote: > > On Wed, May 7, 2008 at 1:45 PM, mw <[EMAIL PROTECTED]> wrote: > > > It worked for me and I have one of the fairly recent copies from SVN. > > > (not like today up to date, but pretty up to date) > > > > Visiting the precise URL he pasted, in current Django trunk (SVN > > revision 7514), I get a 404. > > > > And I can't see any way that the URL would match something in a prior > > version of Django, since there's never been an admin URL pattern that > > can match "index.php". or the other junk in that URL. > > > > My best guess is somebody made a 404.html template and is displaying > > the raw path of the URL without escaping (or with escaping turned off, > > depending on the Django version). > > > > -- > > "Bureaucrat Conrad, you are technically correct -- the best kind of > > correct." > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
