[VIM] Hostflow "XSS" by r0t - another interpretation
Steven M. Christey
coley at mitre.org
Fri Jun 30 18:01:39 EDT 2006
ref:
http://pridels.blogspot.com/2006/06/hostflow-vuln.html
VDB's are calling this XSS, but r0t didn't. Since r0t frequently
finds XSS, this suggests to me that he's talking about something
different.
My interpretation is roughly:
- the product seems to protect against normal XSS (or at least
obvious XSS)
- normal functioning of the product allows IMG tags
- when the victim accesses new_ticket.php, it's through a GET request
that includes credentials within the parameters
- when the victim's browser loads the IMG, it sends the referrer URL,
which includes the credentials, to the attacker's site
- the credentials in the URL are the only elements used for
authentication, so the attacker can then replay them to gain access
- Steve
More information about the VIM
mailing list