Cross-Site Scripting would potentially enable a malicious user to introduce executable code of his choice into another user’s web session. Once the code was running, it could take a wide range of actions, from monitoring the user’s web session and forwarding a copy to the malicious user (stealing personal information), to changing what’s displayed on the user’s screen (asking for credit card or password information). Even more seriously, the script could make itself persistent, so that the next time the user returned to the web site, the malicious user’s script would start running again.
This process can also infect the site being browsed and "poison" cookies.
This can happen with any browser. Please read information provided in the links below to protect yourself when visiting other sites.
Our mitigation efforts:
We explicitly specify the character set ISO-8859-1 on each page.
We do not use dynamically generate pages.
We provide non-scripted pages.
http://www.cert.org/advisories/CA-2000-02.html gives a detailed explanation and information on protecting yourself.
Some things you should know and do to ensure that, during the period when web sites are reviewing their code and making any needed changes, you can continue using the web safely.
Issues and instructions for Microsoft products:
http://www.microsoft.com/technet/security/crsstQS.asp
Issues and links for Netscape products:
http://home.netscape.com/security/index.html?cp=brirnl
Also see Protecting Yourself and Your Computer with Programs
©2001 Old-Mage.com and 'Dr' Dee's/Channel 7, Rittman, OH, 44270, U.S.A.