[pLog-svn] xss in 1.2.7

Matt Wood matt at woodzy.com
Mon May 5 22:11:13 EDT 2008


a nonce/token isn't a defense against XSS... it isn't even a very good
defense against CSRF, but the best we really know about ATM.

On Mon, May 5, 2008 at 5:41 PM, Jon Daley <plogworld at jon.limedaley.com>
wrote:

> On Mon, 5 May 2008, Reto Hugi wrote:
>
> > But in most cases CSRF countermeasures become useless if you have XSS
> > vulnerabilities (remember: XSS means code injection in your html, means
> > possibility to grab nonces etc...)
> >
>        Right, but if you don't even accept the POST in the first place,
> that it doesn't matter what the content is, no matter where it came from,
> right?
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://limedaley.com/pipermail/plog-svn/attachments/20080505/443b3f53/attachment.htm>


More information about the pLog-svn mailing list