On 10/10/2007, Anton Karpov <[EMAIL PROTECTED]> wrote: > 2007/10/10, Can Erkin Acar <[EMAIL PROTECTED]>: > > > > Anton Karpov <[EMAIL PROTECTED]> wrote: > > > > > > In this case, if you have some web application on the same > > *domain name* then the XSS can be used to take control of the > > user session on the application. Especially fun for isp/hosting > > kind of settings where you have customer management and > > troubleshooting (looking glass etc.) services side by side. > > > > Can > > > > Yes, I', aware of it, I > just forgot about situation when you can really give access to bgplg > to [stupid] clients/users, which are not too smart to look into the > url, use firefox/noscript, etc ;) To make things clear > (as I see cvs commit > logs), originally this bug was found by my colleague Alexander > Polyakov, and I just mention it on misc@
"You should never underestimate the predictability of stupidity." -- Bullet-Tooth Tony, Snatch (2000) :) C.