On 10/10/2007, Anton Karpov <[EMAIL PROTECTED]> wrote:
> 2007/10/10, Can Erkin Acar <[EMAIL PROTECTED]>:
> >
> > Anton Karpov <[EMAIL PROTECTED]> wrote:
> >
> >
> > In this case, if you have some web application on the same
> > *domain name* then the XSS can be used to take control of the
> > user session on the application. Especially fun for isp/hosting
> > kind of settings where you have customer management and
> > troubleshooting (looking glass etc.) services side by side.
> >
> > Can
>
>
>
> Yes, I', aware of it, I
> just forgot about situation when you can really give access to bgplg
> to [stupid] clients/users, which are not too smart to look into the
> url, use firefox/noscript, etc ;) To make things clear
> (as I see cvs commit
> logs), originally this bug was found by my colleague Alexander
> Polyakov, and I just mention it on misc@
"You should never underestimate the predictability of stupidity."
-- Bullet-Tooth Tony, Snatch (2000)
:)
C.
