OpenBSD XSS ;)
It's a kind of useless and funny XSS... in OpenBSD ;) http://www.toxahost.ru/images/funny/obsd_xss.JPG
Re: OpenBSD XSS ;)
Nice to hide your local network IP ;) Do not show it anyone! On 10/10/07, Anton Karpov [EMAIL PROTECTED] wrote: It's a kind of useless and funny XSS... in OpenBSD ;) http://www.toxahost.ru/images/funny/obsd_xss.JPG
Re: OpenBSD XSS ;)
On 2007/10/10 20:43, [EMAIL PROTECTED] wrote: Nice to hide your local network IP ;) Do not show it anyone! On 10/10/07, Anton Karpov [EMAIL PROTECTED] wrote: It's a kind of useless and funny XSS... in OpenBSD ;) Well, it's fixed in -current. There are better ways to report a bug than misc@, though.
Re: OpenBSD XSS ;)
2007/10/10, Stuart Henderson [EMAIL PROTECTED]: On 2007/10/10 20:43, [EMAIL PROTECTED] wrote: Nice to hide your local network IP ;) Do not show it anyone! On 10/10/07, Anton Karpov [EMAIL PROTECTED] wrote: It's a kind of useless and funny XSS... in OpenBSD ;) Well, it's fixed in -current. There are better ways to report a bug than misc@, though. I posted it here because I don't seriously think it's a [useful] bug
Re: OpenBSD XSS ;)
2007/10/10, Can Erkin Acar [EMAIL PROTECTED]: Anton Karpov [EMAIL PROTECTED] wrote: In this case, if you have some web application on the same *domain name* then the XSS can be used to take control of the user session on the application. Especially fun for isp/hosting kind of settings where you have customer management and troubleshooting (looking glass etc.) services side by side. Can Yes, I', aware of it, I just forgot about situation when you can really give access to bgplg to [stupid] clients/users, which are not too smart to look into the url, use firefox/noscript, etc ;) To make things clear (as I see cvs commit logs), originally this bug was found by my colleague Alexander Polyakov, and I just mention it on misc@
Re: OpenBSD XSS ;)
Anton Karpov [EMAIL PROTECTED] wrote: 2007/10/10, Stuart Henderson [EMAIL PROTECTED]: On 2007/10/10 20:43, [EMAIL PROTECTED] wrote: Nice to hide your local network IP ;) Do not show it anyone! On 10/10/07, Anton Karpov [EMAIL PROTECTED] wrote: It's a kind of useless and funny XSS... in OpenBSD ;) Well, it's fixed in -current. There are better ways to report a bug than misc@, though. I posted it here because I don't seriously think it's a [useful] bug All bugs are useful :) In this case, if you have some web application on the same *domain name* then the XSS can be used to take control of the user session on the application. Especially fun for isp/hosting kind of settings where you have customer management and troubleshooting (looking glass etc.) services side by side. Can
Re: OpenBSD XSS ;)
On 10/10/2007, Anton Karpov [EMAIL PROTECTED] wrote: 2007/10/10, Can Erkin Acar [EMAIL PROTECTED]: Anton Karpov [EMAIL PROTECTED] wrote: In this case, if you have some web application on the same *domain name* then the XSS can be used to take control of the user session on the application. Especially fun for isp/hosting kind of settings where you have customer management and troubleshooting (looking glass etc.) services side by side. Can Yes, I', aware of it, I just forgot about situation when you can really give access to bgplg to [stupid] clients/users, which are not too smart to look into the url, use firefox/noscript, etc ;) To make things clear (as I see cvs commit logs), originally this bug was found by my colleague Alexander Polyakov, and I just mention it on misc@ You should never underestimate the predictability of stupidity. -- Bullet-Tooth Tony, Snatch (2000) :) C.