Postnuke XSS issues [correction]

[Mark Grimes <mark () stateful net>]

As it turns out the Postnuke issue in particular is a red herring.

As the lead developer describes it -- the cookie generated is a local
site cookie that is sandboxed within the confines of the
browser/session.

It is not the remote user's cookie.

It is easy to be fooled by such a vulnerability if the local site cookie
is empty as well as the remote user's cookie.  Some conditions can
generate the exact same look and feel.

Be warned that all instances of scriptable java within URL/HTML
constructs (even with document.cookie) may be not really be an XSS
issue even if it walks talks and acts like an XSS bug.

Only carrying out the full exploit (cookie theft/account hijack would
prove if it is really an issue in these cases.  However, I chose the
alternative and obtained feedback from the author.

[The feedback came much later then post to bugtraq, there was such a
long delay I thought the post was moderated -- since it did get posted,
this message serves as a correction.]

-- 
Mark Grimes <mark () stateful net>
Stateful Labs