Oh and its just as bad for single users and multiple... your safe if you NEVER have other tabs open and always sign out... but... thats not standard behavior (at least for me)<br><br><div class="gmail_quote">On Mon, May 5, 2008 at 10:44 AM, Matt Wood <<a href="mailto:matt@woodzy.com">matt@woodzy.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Here is a common exploitation scenario for you... <br><br>An Attacker is targeting the <a href="http://lifetype.net" target="_blank">lifetype.net</a> site, he wants admin.<br>
<br>He knows from emails and reading around that Oscar, Reto, Mark and Jon are likely to have admin on that page, so he makes a webpage on geocities or google or something.<br>
<br>On this webpage he has javascript (or a meta refresh tag or an HTTP 302) that immediately redirects you to <a href="http://lifetype.net/admin.php" target="_blank">lifetype.net/admin.php</a> with some javascript payload utilitizing the XSS exploit.<br>
<br>This javascript payload can utilize XSS to create an img tag, this img tag has a src of <a href="http://attackpage/record.php?data=admincredentials-base64ed%28or" target="_blank">http://attackpage/record.php?data=admincredentials-base64ed(or</a> something) as long as the data fits in the get parameters. You could also create a form and have no limit.<br>
<br>Now all the attacker has to do is email each of you telling you that he has found a serious bug in lifetype, and he has screenshots on this page <a href="http://google/blah.%28html%7Cphp%7Cjpg%29" target="_blank">http://google/blah.(html|php|jpg)</a> (depending on his level of control of the site). Maybe he even puts screen shots on there so it doesn't look too scary... and uses an iframe to do the actual attack. You would never know unless you are monitoring all your traffic through a proxy.<br>
<br>XSS is ALWAYS serious.<div><div></div><div class="Wj3C7c"><br><br><div class="gmail_quote">On Mon, May 5, 2008 at 1:00 AM, Mark Wu <<a href="mailto:markplace@gmail.com" target="_blank">markplace@gmail.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>> Can you post an example? I am still not getting how<br>
> the server-side is involved. I understand that if I put<br>
> javascript on the admin's site, the javascript would have<br>
> access to stuff, but the browser is supposed to block<br>
> javascript from grabbing stuff from one site and posting it<br>
> to another, right? So, somehow he grabs stuff via<br>
> javascript, posts it to admin.php which then posts stuff to<br>
> another site?<br>
<br>
</div>I have no idea either. Reto, if you can provide an example here, that willl<br>
very helpful.<br>
<div><br>
> Sure, that's fine, but as far as I can tell, all inputs<br>
> would be susceptible to the same problem, so fixing one<br>
> variable isn't really a fix.<br>
<br>
</div>Not "all" inputs, just those inputs that we use string validator and does<br>
not filtered by htmlfilter( strip tags) or displayed without escape html<br>
special characters ...<br>
<br>
I think quite few ..<br>
<font color="#888888"><br>
Mark<br>
</font><div><div></div><div><br>
_______________________________________________<br>
pLog-svn mailing list<br>
<a href="mailto:pLog-svn@devel.lifetype.net" target="_blank">pLog-svn@devel.lifetype.net</a><br>
<a href="http://limedaley.com/mailman/listinfo/plog-svn" target="_blank">http://limedaley.com/mailman/listinfo/plog-svn</a><br>
</div></div></blockquote></div><br>
</div></div></blockquote></div><br>