Comment spam: iframe usage

lately, the bad guys have been using iframe in comments, in order to grab
the content of a spam web page and attempt to show it at the site with the
injected comment. kind of interesting, as much as it is simple:

viagra <iframe
height="1" width="1" src="http:// h ome.tiscali.cz:8080/ racktire/"></iframe>

gadi evron,
ge@beyondsecurity.com.

Share
  • http://www.whiteacid.org Sid

    I don’t quite get this, the iframe gets rendered?!?

  • colossus

    If they are vulnerable to XSS then there is no reason why not. Although one could just hijack the entire page with a
    window.location=’http://SpamSite.com’

    peace

  • http://weblogs.asp.net/cumpsd CumpsD

    Why would html be allowed in comments?