[pLog-svn] xss in 1.2.7
Matt Wood
matt at woodzy.com
Mon May 5 22:11:13 EDT 2008
a nonce/token isn't a defense against XSS... it isn't even a very good
defense against CSRF, but the best we really know about ATM.
On Mon, May 5, 2008 at 5:41 PM, Jon Daley <plogworld at jon.limedaley.com>
wrote:
> On Mon, 5 May 2008, Reto Hugi wrote:
>
> > But in most cases CSRF countermeasures become useless if you have XSS
> > vulnerabilities (remember: XSS means code injection in your html, means
> > possibility to grab nonces etc...)
> >
> Right, but if you don't even accept the POST in the first place,
> that it doesn't matter what the content is, no matter where it came from,
> right?
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://limedaley.com/pipermail/plog-svn/attachments/20080505/443b3f53/attachment.htm>
More information about the pLog-svn
mailing list