Hi All,
One of the users on my website is still using a leak in UBB to post images on pages using comments on the forum. When i look at what he posts to get the result i get the following:
[pic="http://i42.tinypic.com/2m4bqz4.gif" alt="a" style="position:fixed;right:0px;bottom:0px;float:right;" onmouseover="alert(String.fromCharCode(80,111,110,121,32,122,101,103,116,58,32,104,111,105));"]
Somehow he manages to run javascript with the above string. while the following:
#" onclick="alert(document.cookie)
is not working.
But when I try
[pic="http://i42.tinypic.com/2m4bqz4.gif" alt="a" style="position:fixed;right:0px;bottom:0px;float:right;" onmouseover="alert(String.fromCharCode(80,111,110,121,32,122,101,103,116,58,32,104,111,105));"]
myself I do not get the same result. So I guess when looking at his message some characters are not showing anymore. What exactly does he uses to be able to get javascript to run and how to prevent this from happening?