[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Attacking the local LAN via XSS

To: "pdp (architect)" <pdp.gnucitizen@xxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Attacking the local LAN via XSS
From: Florian Weimer <fw@xxxxxxxxxxxxx>
Date: Thu, 10 Aug 2006 16:39:45 +0200

* pdp:

>   1. page that is controlled by the attacker, lets call it evil.com
>   2. border router vulnerable to XSS
>   3. user attending evil.com

This has nothing to do with cross-site scripting attacks, it's an
entirely different vulnerability class called cross-site request
forgery (CSRF).  A lot of web applications are afffected.

Technically, this is a browser vulnerability, but you can't fix it
there as cross-site requests are too common in the real world.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Attacking the local LAN via XSS
  - From: pdp (architect)

Prev by Date: [Full-disclosure] Hotmail/MSN Cross Site Scripting Vulnerability
Next by Date: [Full-disclosure] [ GLSA 200608-15 ] MIT Kerberos 5: Multiple local privilege escalation
Previous by thread: Re: [Full-disclosure] Attacking the local LAN via XSS
Next by thread: Re: [Full-disclosure] Attacking the local LAN via XSS
Index(es):
- Date
- Thread