May 25th, 2002, 08:00 AM
Invisible AO Folders...
This is a bug that I've discovered with the AO PM Folders. A quick search found no matches of this being posted before. Gee, I feel special...
We all know how JP has worked to keep HTML in our posts out of AO? Well, he forgot at least one thing. The name's of our PM folders!
I used a folder name of '</SELECT>', and now it shows up as a blank select box in the drop down list. Whats more, it doesn't show up in the list at the right with our folder names! It can be solved by replacing the '<' with the other combination that shows that character (the usual way). There may be other things that have this overlooked bug, but I doubt that they will have much impact, as this one only deals with your personal, PM box. BTW, you can still access the folder.
I'm beginning to think of a few other things that have this bug now... If they cause little impact, such as this one, I might post it. Otherwise, I'll PM the invisible folder...
May 26th, 2002, 01:44 PM
Now THAT, is hacking!
Well done Tim!
May 26th, 2002, 01:51 PM
thanks to tim and a bit of xss hehe
ive come up with a bit of a more major hole that allows the contents of your cookies to be displayed its not so much of a problem in the pm folder but im sure that with a bit of harder looking i could find a bigger exploit i dont want to print it just incase some people get some ideas so if JP you want to PM or email firstname.lastname@example.org
i will kindly tell you what the problem is
p.s thanks tim_axe for sending my mind in the right direction
May 28th, 2002, 05:40 PM
Thanks for the heads up on this! I've taken care of the problem.