|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
Re: New Web Vulnerability - Cross-Site Tracing
Date: Wed Jan 22 2003 - 16:31:34 EST
-----BEGIN PGP SIGNED MESSAGE-----
I would like to point out that in order to execute an "XST" attack, you have to be able to able to get JavaScript/Flash/etc executed on the victim's system as a PREREQUISITE.
If you can get arbitrary JavaScript executed on a web client, you can use this attack method to get arbitrary JavaScript executed on a web client, in a different zone.
This isn't any different from the many, many, many known ways of violating someone's HTTP client if you can get them to execute Flash or JavaScript or ActiveX of your choice. We've seen dozens of holes in IE's security constraints that allow attackers to view files, steal cookies or execute commands. Unlike Guninski or GreyMagic's advisories, this one has simply been built up to ridiculous proportions with marketting language in the press release and in the ExtremeTech article.
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify
wmAEARECACAFAj4t5mkZHHhzcy1pcy1sYW1lQGh1c2htYWlsLmNvbQAKCRDs/5lboNFb
hs94AJoCAIHCTBclVGgSJrvXtm2ZUxJN7QCfQw+wgkQjMwnwaFTJFMVrl4fwMKI=
=J5ak
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 Received on Wed Jan 22 17:07:06 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:47 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |