[pLog-svn] xss in 1.2.7

Matt Wood matt at woodzy.com
Tue May 6 09:59:28 EDT 2008 

It depends on how you implemented the nonce.

I really haven't look into this specific vuln, I've just happened on the
emails you guys were sending around... but assuming you have implemented a
site-wide nonce implementation that is page specific, form specific, user
specific, uses timed expiration, and requires authentication... it would be
hard to utilize the reflection attack in any meaningful way other than
attack yourself.

I would never assume that it would be impossible, most of the time it is the
conglomeration of vulnerabilities that allow an attack to do meaningful
things.

-Matt

On Tue, May 6, 2008 at 3:17 AM, Reto Hugi <plog at hugi.to> wrote:

> Jon Daley wrote:
>
> >    I must really not be getting XSS then.  If every post has to have a
> > token on it, how would someone guess the token in order to have the
> > javascript be accepted and displayed on the screen at all?  I'd expect the
> > token to be checked first, and simply die() if it doesn't match.
> >    I can't figure out a scenario where an attacker would be able to get
> > javascript displayed on the screen to be executed within the context of that
> > domain to steal a cookie, or do anything.
> >
> >
> Jon, you're right on that very example. But I suppose we won't implement
> the CSRF Check (i.e. the nonce check) on every request, but only on the
> ones writing to the database (that's where CSRF is the most dangerous).
> And therefore we still need to make sure we are not vulnerable to xss.
>
> it was probably good to have this discussed once again. it's the only
> way we all get the same understanding of those attacks :)
>
> @matt: or do you see a possibility of exploiting our xss vuln. *if* we
> had implemented the nonce on every request (that's the scenario jon is
> thinking about...)
>
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://limedaley.com/pipermail/plog-svn/attachments/20080506/dab66b8a/attachment.htm>

More information about the pLog-svn mailing list