Vulnerability Development mailing list archives

Re: CSS implication

From: "HarryM" <harrym () the-group org>
Date: Thu, 21 Mar 2002 10:18:11 -0000

Although very simular to XSS writting SSI, PHP, or any other kind of

server

side language is not XSS, but rather a remote file writting vulnerability.
The difference is there and I don't feel we should confuse the two.  I am
not sure if you would call client side scriptting that is saved to a file

on

the server XSS, but I personally do not count it as such.


I don't agree at all, if anything, grabbing a file from another site and
executing php in it is more XSS as I understand it, since you're 'crossing'
servers to get the code. If this isn't XSS then what about reaching to
another domain to download a .js file for execution, like the recent
vulnerabilities on online news pages? Perhaps there should be different
terms for clientside/serverside XSS vulns but i feel they fall under the
same category.

Harry

Current thread:

Re: CSS implication, (continued)
- Re: CSS implication Frog Man (Mar 17)
  - Re: CSS implication Bill Weiss (Mar 17)
- Re: CSS implication zero (Mar 17)
  - Re: CSS implication Jeremiah Grossman (Mar 18)
    - Re: CSS implication zero (Mar 18)
    - Re: CSS implication Jeremiah Grossman (Mar 19)
    - Re: CSS implication Sverre H. Huseby (Mar 23)
- RE: CSS implication Matt Priestley (Mar 17)
  - Re: CSS implication Arta (Mar 18)
- Re: CSS implication b0iler _ (Mar 20)
  - Re: CSS implication HarryM (Mar 21)
  - Re: CSS implication Sverre H. Huseby (Mar 21)