[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Circumventing CSFR Form Token Defense

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: RE: Circumventing CSFR Form Token Defense
From: "James C. Slora Jr." <james.slora@xxxxxxxx>
Date: Thu, 11 Jan 2007 08:59:09 -0500

bugtraq@xxxxxxxxx wrote Tuesday, January 09, 2007 7:21 PM

> Testing (only with IE, Firefox, Opera and Konqueror so far) 
> I found no way how to circumvent the restrictions of *reading* 
> requested pages from JS - setting up the request works, but 
> attempts to read the document (embedded in an frame/object*/iframe) 
> failed with some "access denied" exception (FF,Opera: exception, 
> Konqueror: undefined values, IE: Strange errors) when domain
> names do not match.

> *except IE

Does this mean that Object works to exploit IE?

References:
- Re: Circumventing CSFR Form Token Defense
  - From: bugtraq

Prev by Date: phpBB (privmsg.php) XSS Exploit
Next by Date: Calyptix Security Advisory CX-2007-001 - Snort 2.6.1.2 Integer Underflow Vulnerability
Previous by thread: Re: Circumventing CSFR Form Token Defense
Next by thread: rPSA-2007-0004-1 bzip2
Index(es):
- Date
- Thread