[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] MIMESweeper For Web 5.X Cross Site Scripting

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] MIMESweeper For Web 5.X Cross Site Scripting
From: "Brian Eaton" <eaton.lists@xxxxxxxxx>
Date: Mon, 10 Jul 2006 08:06:07 -0400

On 7/9/06, Erez Metula <erezmetula@xxxxxxxxxxxxxx> wrote:

An example attack scenario could be that an attacker will redirect many
users (by email, posting in the organization portal, etc.) to some blocked
URL and an accompanying script that will steal their authentication cookies.


It sounds like the net impact of this vulnerability is that an
attacker can steal cookies for a site the user isn't allowed to visit
anyway.  In other words, there aren't going to be any interesting
cookies to steal.  Is there more to this attack scenario?

Regards,
Brian

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] MIMESweeper For Web 5.X Cross Site Scripting
  - From: Erez Metula

Prev by Date: Re: [Full-disclosure] Postfix configuration
Next by Date: [Full-disclosure] [SECURITY] [DSA 1107-1] New GnuPG packages fix denial of service
Previous by thread: [Full-disclosure] MIMESweeper For Web 5.X Cross Site Scripting
Next by thread: RE: [Full-disclosure] MIMESweeper For Web 5.X Cross Site Scripting
Index(es):
- Date
- Thread