[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] MBT Xss vulnerability

To: Jerome Athias <jerome.athias@xxxxxxx>
Subject: Re: [Full-disclosure] MBT Xss vulnerability
From: Stan Bubrouski <stan.bubrouski@xxxxxxxxx>
Date: Fri, 20 Jan 2006 13:52:53 -0500

Reading over this again let me clarify why I'm curious about this:
1) Yes I'm aware someone could redirect someone to a form claiming to
be by MBT to harvest information
2) I just don't see the relevence to this list (if we reported every
XSS in every site, we could fill this list with 100s of message per
day)

Know what I mean?

-sb

On 1/20/06, Stan Bubrouski <stan.bubrouski@xxxxxxxxx> wrote:
> Well I'm not going to talk about how XSS is useless because we all
> know it can be quite a serious problem.  I think, and I don't know the
> guy so I can't be sure, the original dissenter to this post was
> pointing out that:
> What would you phish from a site that doesn't have any forms anyways?
> What would stealing a session cookie get you if the only dynamic
> content is a search function?
>
> I'm not saying XSS isn't important, I'm just wondering why this case is?
>
> -sb
>
> On 1/20/06, Jerome Athias <jerome.athias@xxxxxxx> wrote:
> > Hey guy, do you know something about XSS
> > 1) Phishing?
> > 2) encoded URL, UTF8...?
> > 3) cookie steal?
> > ...
> >
> > it'll not be difficult to reproduce a website and have an url difficult
> > to understand for a basic user...
> > sure it's harder to spoof the url in the browser...
> > //
> >
> > Native.Code a écrit :
> > > What a lame vulnerability it is. If your POC redirects to another site
> > > (which is not MBT site), how someone will become victim and believe that
> > > he/she is doing business with MBT?
> > >
> > > Your post is yet another proof that FD is more and more inhibited by scipt
> > > kiddies. Get a life!
> > >
> >
> >
> > ---------------------------------------------------------------------------------------------------------
> > About FD:
> > "Speech is silver, but silence is gold"
> >
> >
> > /JA
> > /https://www.securinfos.info/
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] MBT Xss vulnerability
  - From: MuNNa
- Re: [Full-disclosure] MBT Xss vulnerability
  - From: Native.Code
- Re: [Full-disclosure] MBT Xss vulnerability
  - From: Jerome Athias
- Re: [Full-disclosure] MBT Xss vulnerability
  - From: Stan Bubrouski

Prev by Date: Re: [Full-disclosure] Re: Re: PC Firewall Choices
Next by Date: [Full-disclosure] MDKSA-2006:018 - Updated kernel packages fix several vulnerabilities
Previous by thread: Re: [Full-disclosure] MBT Xss vulnerability
Next by thread: [Full-disclosure] MDKSA-2006:017 - Updated mod_auth_ldap packages fix vulnerability
Index(es):
- Date
- Thread