lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <BAY19-DAV1AF733E4E5E6E7A94CFD1D91F0@phx.gbl>
Date: Fri Jan 20 21:31:28 2006
From: se_cur_ity at hotmail.com (Morning Wood)
Subject: MBT Xss vulnerability

in all honesty, XSS is a serious vector of attack.
however, non-persistant XSS is a much less serious problem
than is persistant XSS. Generally XSS is of no harm to the server
side anyway. It can however be leveraged as the OP said, but
would require  a dedicated, pre-formed url string that needs to
be presented to the user to be effective. IMHO the OP advisory
should not have been posted, because of the non-persistant nature
of the flaw at one dedicated site. 

 Issues comes into play via persistant XSS, which is script that may
be embedded in a web application, such as a guestbook, or comment
section, where people would travel to on their own without the need of
a direct link and then rendered upon visitation in the users browser.
Further, in todays world of browser exploitation, cookie, session,
and/or credential theft is not the only thing to be gained and is often
of minor importance and information. What is bad is leveraging XSS
as a vector for browser exploitation ( can we say IFRAME+WMF ),
so you have a way, via XSS to COMPROMISE end users systems.

While the OP does have a valid initial point and theory,
1. it is not persistant in nature
2. it is one site, and not a script used on many sites
3. it does require SE at some level to be effective
4. it should not have been posted to FD ( see points 1,2,3 )


my2bits,
MW













-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060120/946fdb1e/attachment-0001.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ