<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16640" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=743122302-06052008><FONT face=新細明體
color=#0000ff size=2>Matt:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=743122302-06052008><FONT face=新細明體
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=743122302-06052008><FONT face=新細明體
color=#0000ff size=2>ATM, you mean ATM machine? Why does it related to CSRF
?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=743122302-06052008><FONT face=新細明體
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=743122302-06052008><FONT face=新細明體
color=#0000ff size=2>Mark</FONT></SPAN></DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=zh-tw dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> plog-svn-bounces@devel.lifetype.net
[mailto:plog-svn-bounces@devel.lifetype.net] <B>On Behalf Of </B>Matt
Wood<BR><B>Sent:</B> Tuesday, May 06, 2008 10:11 AM<BR><B>To:</B> LifeType
Developer List<BR><B>Subject:</B> Re: [pLog-svn] xss in
1.2.7<BR></FONT><BR></DIV>
<DIV></DIV>a nonce/token isn't a defense against XSS... it isn't even a very
good defense against CSRF, but the best we really know about ATM.<BR><BR>
<DIV class=gmail_quote>On Mon, May 5, 2008 at 5:41 PM, Jon Daley <<A
href="mailto:plogworld@jon.limedaley.com">plogworld@jon.limedaley.com</A>>
wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV class=Ih2E3d>On Mon, 5 May 2008, Reto Hugi wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; BORDER-LEFT: rgb(204,204,204) 1px solid">But in
most cases CSRF countermeasures become useless if you have XSS
vulnerabilities (remember: XSS means code injection in your html, means
possibility to grab nonces etc...)<BR></BLOCKQUOTE></DIV>
Right, but if you don't even accept the POST in the first
place, that it doesn't matter what the content is, no matter where it came
from, right?
<DIV>
<DIV></DIV>
<DIV
class=Wj3C7c><BR>_______________________________________________<BR>pLog-svn
mailing list<BR><A href="mailto:pLog-svn@devel.lifetype.net"
target=_blank>pLog-svn@devel.lifetype.net</A><BR><A
href="http://limedaley.com/mailman/listinfo/plog-svn"
target=_blank>http://limedaley.com/mailman/listinfo/plog-svn</A><BR></DIV></DIV></BLOCKQUOTE></DIV><BR></BLOCKQUOTE></BODY></HTML>