[VIM] Hostflow "XSS" by r0t - another interpretation

Steven M. Christey coley at mitre.org
Fri Jun 30 18:01:39 EDT 2006



VDB's are calling this XSS, but r0t didn't.  Since r0t frequently
finds XSS, this suggests to me that he's talking about something

My interpretation is roughly:

 - the product seems to protect against normal XSS (or at least
   obvious XSS)

 - normal functioning of the product allows IMG tags

 - when the victim accesses new_ticket.php, it's through a GET request
   that includes credentials within the parameters

 - when the victim's browser loads the IMG, it sends the referrer URL,
   which includes the credentials, to the attacker's site

 - the credentials in the URL are the only elements used for
   authentication, so the attacker can then replay them to gain access

- Steve

More information about the VIM mailing list