Full Disclosure mailing list archives

Re: MIMESweeper For Web 5.X Cross Site Scripting

From: "Brian Eaton" <eaton.lists () gmail com>
Date: Mon, 10 Jul 2006 08:06:07 -0400

On 7/9/06, Erez Metula <erezmetula () 2bsecure co il> wrote:

An example attack scenario could be that an attacker will redirect many
users (by email, posting in the organization portal, etc.) to some blocked
URL and an accompanying script that will steal their authentication cookies.


It sounds like the net impact of this vulnerability is that an
attacker can steal cookies for a site the user isn't allowed to visit
anyway.  In other words, there aren't going to be any interesting
cookies to steal.  Is there more to this attack scenario?

Regards,
Brian

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

MIMESweeper For Web 5.X Cross Site Scripting Erez Metula (Jul 09)
- Re: MIMESweeper For Web 5.X Cross Site Scripting Brian Eaton (Jul 10)
- <Possible follow-ups>
- RE: MIMESweeper For Web 5.X Cross Site Scripting Erez Metula (Jul 10)
- RE: MIMESweeper For Web 5.X Cross Site Scripting Erez Metula (Jul 10)
  - RE: MIMESweeper For Web 5.X Cross Site Scripting Lise Moorveld (Jul 13)
- RE: MIMESweeper For Web 5.X Cross Site Scripting Erez Metula (Jul 11)