Re: CSS implication
From: HarryM (harrym@the-group.org)Date: 03/21/02
- Previous message: Ory Segal: "Vulnerability in Apache for Win32 batch file processing - Remote command execution"
- In reply to: b0iler _: "Re: CSS implication"
- Next in thread: Sverre H. Huseby: "Re: CSS implication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "HarryM" <harrym@the-group.org> To: "b0iler _" <b0iler@hotmail.com>, <vuln-dev@securityfocus.com> Date: Thu, 21 Mar 2002 10:18:11 -0000
> Although very simular to XSS writting SSI, PHP, or any other kind of
server
> side language is not XSS, but rather a remote file writting vulnerability.
> The difference is there and I don't feel we should confuse the two. I am
> not sure if you would call client side scriptting that is saved to a file
on
> the server XSS, but I personally do not count it as such.
I don't agree at all, if anything, grabbing a file from another site and
executing php in it is more XSS as I understand it, since you're 'crossing'
servers to get the code. If this isn't XSS then what about reaching to
another domain to download a .js file for execution, like the recent
vulnerabilities on online news pages? Perhaps there should be different
terms for clientside/serverside XSS vulns but i feel they fall under the
same category.
Harry
- Previous message: Ory Segal: "Vulnerability in Apache for Win32 batch file processing - Remote command execution"
- In reply to: b0iler _: "Re: CSS implication"
- Next in thread: Sverre H. Huseby: "Re: CSS implication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
