Full Disclosure mailing list archives
Can everyone stop posting fake Yahoo XSS vulns?
From: n3td3v <n3td3v () gmail com>
Date: Tue, 18 Apr 2006 18:09:57 +0100
I complained to Securityfocus for letting http://www.securityfocus.com/archive/1/431039 this one through. The "done=" thing is on purpose and is there by design, there is no threat per say, and it won't be fixed, because theres nothing to fix. Folks complained about something similar years ago with the rd.yahoo.com thing, which had more substance to it than the recent "done=" thing. If done= was a real potential threat it would have been sorted years ago. Every hacker on the planet, including Yahoo security team know you can add -any- address onto there, it is not xss Please read what XSS is before you post. You can claim a phishing vector with your fake vuln, but you can't claim cross-site scripting. Title your "Advisories" in the correct way, its misleading to cry "XSS" at every phishing vector, which doesn't infact involve XSS in its true meaning. Thanks, n3td3v And i'm posting this here, because Securityfocus didn't believe in freedom of speech when I sent a similar message in reply of the Securityfocus thread. Just don't cry wolf too many times with XSS... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Can everyone stop posting fake Yahoo XSS vulns? n3td3v (Apr 18)