[pLog-svn] xss in 1.2.7

Jon Daley plogworld at jon.limedaley.com
Tue May 6 10:04:12 EDT 2008


 	What do you gain by being form or page specific?  And what does 
"requires authentication" mean?  something more than a regular login that 
we already have?
 	I was thinking of a simple user and time token.

On Tue, 6 May 2008, Matt Wood wrote:

> It depends on how you implemented the nonce.
>
> I really haven't look into this specific vuln, I've just happened on the
> emails you guys were sending around... but assuming you have implemented a
> site-wide nonce implementation that is page specific, form specific, user
> specific, uses timed expiration, and requires authentication... it would be
> hard to utilize the reflection attack in any meaningful way other than
> attack yourself.
>
> I would never assume that it would be impossible, most of the time it is the
> conglomeration of vulnerabilities that allow an attack to do meaningful
> things.
>
> -Matt
>
> On Tue, May 6, 2008 at 3:17 AM, Reto Hugi <plog at hugi.to> wrote:
>
>> Jon Daley wrote:
>>
>>>    I must really not be getting XSS then.  If every post has to have a
>>> token on it, how would someone guess the token in order to have the
>>> javascript be accepted and displayed on the screen at all?  I'd expect the
>>> token to be checked first, and simply die() if it doesn't match.
>>>    I can't figure out a scenario where an attacker would be able to get
>>> javascript displayed on the screen to be executed within the context of that
>>> domain to steal a cookie, or do anything.
>>>
>>>
>> Jon, you're right on that very example. But I suppose we won't implement
>> the CSRF Check (i.e. the nonce check) on every request, but only on the
>> ones writing to the database (that's where CSRF is the most dangerous).
>> And therefore we still need to make sure we are not vulnerable to xss.
>>
>> it was probably good to have this discussed once again. it's the only
>> way we all get the same understanding of those attacks :)
>>
>> @matt: or do you see a possibility of exploiting our xss vuln. *if* we
>> had implemented the nonce on every request (that's the scenario jon is
>> thinking about...)
>>
>>
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://limedaley.com/mailman/listinfo/plog-svn
>>
>

-- 
Jon Daley
http://jon.limedaley.com/

The only joy in the world is to begin.
-- Cesare Pavese


More information about the pLog-svn mailing list