Hahaha ... native code doesnt seem to understand the meaning of Xss and why it can be of security concern. Here not only url re-direction is possible but also execution of malicious _javascript_s is
possible.Your Lame reply makes me think that you areone of the following:
1.An employee of MBT
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 946-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
January 20th, 2006
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 947-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Michael Stone
January 21st, 2006
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 948-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Moritz Muehlenhoff
January 20th, 2005
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 949-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
January 20th, 2006
if anyone catches this please let me know and hook a brotha up with a copy.
http://isc.sans.org/diary.php?storyid=1056
As a side note its nice to know that that the UK style Bluetooth
Advertising HAS hit the US finally. Lots of vendors are still NOT
signing their .SIS files!
-KF
OS2A
RockLiffe MailSite wconsole.dll Denial of Service/Script Injection Vulnerability
OS2A ID: OS2A_1004 Status
01/06/2006 Issue Discovered
01/06/2006 Reported to the vendor
Is it just me who thinks linking to a log of thousands of e-mail
addresses is in very poor taste on a mirrored list? If they weren't
harvested before they will be now.
-sb
On 1/20/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I don't
Hey guy, do you know something about XSS
1) Phishing?
2) encoded URL, UTF8...?
3) cookie steal?
...
it'll not be difficult to reproduce a website and have an url difficult
to understand for a basic user...
sure it's harder to spoof the url in the browser...
//
Native.Code a écrit :
What a lame
Well I'm not going to talk about how XSS is useless because we all
know it can be quite a serious problem. I think, and I don't know the
guy so I can't be sure, the original dissenter to this post was
pointing out that:
What would you phish from a site that doesn't have any forms anyways?
What
Nancy,
I was not trying to make the point that ZA is some buggy unusable
crap. Just that even properly configured we have encountered
instances where it misbehaves, behaves inconsistently, and slows down
web browsing with IE (not so much with opera or firefox apparently as
I tried that out last
Reading over this again let me clarify why I'm curious about this:
1) Yes I'm aware someone could redirect someone to a form claiming to
be by MBT to harvest information
2) I just don't see the relevence to this list (if we reported every
XSS in every site, we could fill this list with 100s of
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDKSA-2006:018
http://www.mandriva.com/security/
Hii
-Why would he be concerned? The problem is that most sites on theinternet suffer from XSS vulenrabilities, its just that nobody caresbecause there is nothing to gain from the sites. Nothing to gain you
say? Yes. Let's take this site you posted about for example, Ididn't look over the entire
Time to thrown my
.02 cents in.
Zone - Good product,
though it requires much thought and proper configuration for successful
installs. does not, always save your configurations settings when you shutdown.
This I find occurs most often when you upgrade Zone from one version to another
and
in all honesty, XSS is a serious vector of
attack.
however, non-persistant XSS is a much less serious
problem
than is persistant XSS. Generally XSS is of no harm
to the server
side anyway. It can however be leveraged as the OP
said, but
would require a dedicated, pre-formed url
string that
On 1/20/06, MuNNa [EMAIL PROTECTED] wrote:
Hii
-Why would he be concerned? The problem is that most sites on the
internet suffer from XSS vulenrabilities, its just that nobody cares
because there is nothing to gain from the sites. Nothing to gain you
say? Yes. Let's take this site you
On 1/20/06, Morning Wood [EMAIL PROTECTED] wrote:
in all honesty, XSS is a serious vector of attack.
however, non-persistant XSS is a much less serious problem
than is persistant XSS. Generally XSS is of no harm to the server
side anyway. It can however be leveraged as the OP said, but
would
However I do wish it had the feature that Sygate PRO has, which will
blackhole a IP if it detects a ports scan coming to it. it then blocks all
activity from the offending IP for approximately 10 minutes.
Well, it's a feature if the probes are really coming from the computer
Sygate PRO thinks
Dear Eliah Kagan,
EK Then Z comes along and sends a
EK bunch of SYN packets to X, spoofed to have the source IP of Y, waits
EK 10 minutes, and repeats ad infinitum.
Z sends spoofed packets coming from the DNS server of X even more
interesting..
--
http://secdev.zoller.lu
Thierry Zoller
Z sends spoofed packets coming from the DNS server of X even more
interesting..
When Sygate PRO blackholes a host, does it block only unsolicited
packets (bad), or does it block *all* incoming packets from that host
(worse)?
-Eliah
On 1/20/06, Thierry Zoller [EMAIL PROTECTED] wrote:
Dear
Any self-respecting network administrator, (who knows what he/she is doing),
would have planned for that
And setup some kind of overideing ruleset, that will allways allow
communiction to/from it's own resources.
A.K.A, the BLACKHOLE / IP BANNING would be overiden for IP's resources,
like that of
You are then saying don't buy your firewall bundled with your anti
virus. Logically that makes sense. It seems though that most AV vendors
sell a firewall with their deluxe packages maybe because they think you
need one and it gives them a little extra revenue.
I have dailup and no firewall
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDKSA-2006:019
http://www.mandriva.com/security/
24 matches
Mail list logo
