> > Sorry again Fabio, but I need to understand: the querystring does not seem > to have a "param=value" structure, and <s:url> has "test" as action, and > does not take any dynamic value (i.e. parameter), but maybe I am missing > something.
The bug is calling that page itself (I mean XSS.jsp) passing via GET the malicious querystring. The "test action" is never called. You get the XSS exploit on XSS.jsp I pasted somewhere the full code of XSS.jsp, call it passing the malicious querystring (on IE6) and you will see the javascript being executed. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
