Re: F-Secure to release XSS "potential dangers"

[Dan B <dan-fd () f-box org>]

Hi,

n3td3v wrote:
> You missed the point of my post.
>
> I have nothing against F-Secure reporting the bug, I only have
> something against F-Secure supplying information on how to use an XSS
> vulnerability properly in which to cause the most damage to the
> Netscape web site.
F-Secure have not stated this in their posting to their weblog.

> If you read my post and the F-Secure blog properly, you'll see they
> reported that the vulnerability wasn't exploited fully, and F-Secure
> promised to publish information to show attackers how to do the job
> properly.
Incorrect. And I quote from
http://www.f-secure.com/weblog/archives/archive-072006.html#00000927

"We'll finish our draft with more on the potential dangers of XSS for
you soon."

This in no way states that they are going to release details of current
live XSS.
> Thanks for your attempt to wind me up, you almost succeeded.
>
> n3td3v
And if you take a look at:
http://www.f-secure.com/weblog/archives/archive-072006.html#00000930
They do exactly that... DISCUSS the risks/dangers, NOT the details.

You really should read peoples words more carefully before responding.

Cheers,
Dan.

PS. It's Thursday, nearly the weekend!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/