If you see an alert box when this page is loaded then you are vulnerable to cross site scripting type of attacks. The alert should show all the cookies that your site has enabled for this page. These cookies can (in theory) be used in any way an attacker see's fit. There are some restrictions however, if the site is running https, then automatically loaded page elements may have to come from the same site (in which case a web bug might not work). In addition it may not be possible to pass parameters to an image. However you can still have a link on the page which the user may select which could pass the cookies as an argument. If you have access to server logs then you can code the cookie in the image filename.
The code is here:
After it runs you get to see the rest of the page.
So for example an embedded image (a web bug) would look like this []
(a black dot, if it works!).
And a malicous link like this. (which is a link to the web bug, a black dot!). When you come back you can see what was recorded when you selected the link by clicking here.
Solution: the site should filter all output for JavaScript.
Note that many email clients are subject to the same vulnerability if they allow preview of web pages. However one could develop a mail message that simply told people they were vulnerable and told them how to make the appropriate changes - one could also of course log vulnerable email clients as well.
The above vulnerabilites are in the public domain and actively used.
