Full Disclosure mailing list archives

Re: MBT Xss vulnerability

From: Stan Bubrouski <stan.bubrouski () gmail com>
Date: Fri, 20 Jan 2006 13:52:53 -0500

Reading over this again let me clarify why I'm curious about this:
1) Yes I'm aware someone could redirect someone to a form claiming to
be by MBT to harvest information
2) I just don't see the relevence to this list (if we reported every
XSS in every site, we could fill this list with 100s of message per
day)

Know what I mean?

-sb

On 1/20/06, Stan Bubrouski <stan.bubrouski () gmail com> wrote:

Well I'm not going to talk about how XSS is useless because we all
know it can be quite a serious problem.  I think, and I don't know the
guy so I can't be sure, the original dissenter to this post was
pointing out that:
What would you phish from a site that doesn't have any forms anyways?
What would stealing a session cookie get you if the only dynamic
content is a search function?

I'm not saying XSS isn't important, I'm just wondering why this case is?

-sb

On 1/20/06, Jerome Athias <jerome.athias () free fr> wrote:

Hey guy, do you know something about XSS
1) Phishing?
2) encoded URL, UTF8...?
3) cookie steal?
...

it'll not be difficult to reproduce a website and have an url difficult
to understand for a basic user...
sure it's harder to spoof the url in the browser...
//

Native.Code a écrit :

What a lame vulnerability it is. If your POC redirects to another site
(which is not MBT site), how someone will become victim and believe that
he/she is doing business with MBT?

Your post is yet another proof that FD is more and more inhibited by scipt
kiddies. Get a life!



---------------------------------------------------------------------------------------------------------
About FD:
"Speech is silver, but silence is gold"


/JA
/https://www.securinfos.info/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: MBT Xss vulnerability, (continued)
- - - Re: MBT Xss vulnerability MuNNa (Jan 20)
    - Re: MBT Xss vulnerability Stan Bubrouski (Jan 20)
    - Re: MBT Xss vulnerability MuNNa (Jan 20)
    - Re: MBT Xss vulnerability Morning Wood (Jan 20)
    - Re: MBT Xss vulnerability Stan Bubrouski (Jan 20)
    - Re: MBT Xss vulnerability Stan Bubrouski (Jan 20)
    - Re: MBT Xss vulnerability MuNNa (Jan 21)
    - Re: MBT Xss vulnerability Native.Code (Jan 22)
  - Re: MBT Xss vulnerability Jerome Athias (Jan 20)
    - Re: MBT Xss vulnerability Stan Bubrouski (Jan 20)
    - Re: MBT Xss vulnerability Stan Bubrouski (Jan 20)