Re: Sourceforge.net XSS

[v9 <v9 () fakehalo us>]

alright.  folks, enough with the unrelated XSS stories, for the last time,
i'm simply saying not all XSS are the same...i am talking about XSS that
doesn't get saved on the server and has to be included in the url... i
don't know how much more clear to make this.

"http://something.com/...?[XSS HERE]" style.

i'm quite aware of samy's myspace worm, good idea, however that is
completely different from what i am and have been talking about.

samy's worm was stored on the server and shown to all who viewed his
myspace page.  these kind of XSS are in  a url you'd have to create
yourself, you wouldn't ever stroll across this, as you have to make it in
the url to work.

so as i said before, encoded/phishing (emails) is about the only possible
use for these that i can see, and not even to a good extent(easier
to just use the usual <A HREF> style misdirection, and has more options).
if someone can tell me otherwise, post a RELATED reply. (ie. in-url XSS)


On Mon, 17 Apr 2006, Juan C Calderon wrote:

> Hello,
>
> I want to share with you this information I got from
> this same list back in April 5th, It is about a virus
> created with an XSS at a myspace website (check the
> list archives).
>
> Myspace.com - Intricate Script Injection Vulnerability
> advisory
> http://www.silent-products.com/advisory4.5.06.txt
>
> The myspace hack story
> http://fast.info/myspace/
>
> There are very interesting links at the end of this
> paper relating to XSS viruses and their differences
> with traditional viruses.
> http://www.bindshell.net/papers/xssv.html
>
> hope it is interesting to you, this is just a little
> example of what a XSS can do,
>
> Cheers,
> JC
>
> __________________________________________________
> Correo Yahoo!
> Espacio para todos tus mensajes, antivirus y antispam ¡gratis!
> Regístrate ya - http://correo.espanol.yahoo.com/