| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 12 Dec 2007 13:12:23 -1000 From: Peter Besenbruch <prb@...a.net> To: full-disclosure@...ts.grok.org.uk Subject: Re: Google / GMail bug, all accounts vulnerable On Wednesday 12 December 2007 11:27:28 Steven Adair wrote: > Glad to see we figured it out. :) Yes, "Cross Site Request Forgery" would > be the correct term referenced by the acronym in all of the replies > (subsequently also the first result in a normal Google query). And there you have it: I can use Google and Wikipedia. ;) > I'm still > not quite sure what the big deal on the favicon stuff in terms of this > issue. So lets say you completely disabled favicons altogether. Now when > you visit the original PoC - it no longer works. However, if you simply > had a 302 or mod_rewrite rule for any image that you actually had written > into the source of your page, you could achieve the same result. You are probably asking the wrong guy, but one of the comments made earlier in this thread claimed that the favicon method bypasses Noscript protections. Aside from XSS blocking, Noscript would eliminate IFRAMEs and most Javascript. Would your technique bypass it? -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists