good points in the article! i wasn't thinking of that. so the alert could be a password grabber, e-mailing the passwords for your swiki users to the hacker (and you would be none the wiser--i don't even see anything in the log)
thanks, antonio. hal On Mar 5, 2008, at 3:37 PM, Antonio Barros wrote: > Dear Professor Mark, > > I think this short article can help "Cross site scripting (XSS) > attacks are often seen as a powerless hack. While this is true in > some cases, for the most part the impact of an XSS vulnerability is > left up to the imagination and talent of the attacker..." <http:// > www.informit.com/articles/article.aspx?p=603037>. > I am not a security expert, but I think this can happen in the swiki > home and in any page with edit permission or "add to the page" > button. > My best, > > Antonio Barros > Brazil > > Em 05/03/2008, às 18:31, Guzdial, Mark escreveu: > >> I'm not even sure I grok the question... >> >> >> -----Original Message----- >> From: [EMAIL PROTECTED] on behalf of >> [EMAIL PROTECTED] >> Sent: Wed 3/5/2008 4:23 PM >> To: [EMAIL PROTECTED] >> Subject: [Swiki-bugs] SWIKI 1.5 Cross-Site Scripting >> >> Swiki-Bugs, >> FYI there is a XSS vuln in Swiki 1.5 exploitable by: >> >> http://[host]:8000/<script>alert("XSS");</script> >> >> I would like to post to bugtraq so please let me know when it has >> been >> fixed! Thanks! >> >> -- >> Brad Antoniewicz >> Senior Security Consultant >> Foundstone Professional Services >> A Division of McAfee >> http://www.foundstone.com >> >> [EMAIL PROTECTED] >> (O) 646.728.1493 >> (C) 347.801.5864 >> (F) 212.869.6720 >> 1133 Avenue of the Americas >> New York, NY 10036 >> PGP Key: http://www.foundstone.com/us/pgpkeys/bradantoniewicz.asc >> Blog: http://www.avertlabs.com/research/blog/ >> >> >> _______________________________________________ >> Swiki-bugs mailing list >> [EMAIL PROTECTED] >> https://mailman.cc.gatech.edu/mailman/listinfo/swiki-bugs >> >> >> _______________________________________________ >> Pws mailing list >> Pws@cc.gatech.edu >> https://mailman.cc.gatech.edu/mailman/listinfo/pws > > _______________________________________________ > Pws mailing list > Pws@cc.gatech.edu > https://mailman.cc.gatech.edu/mailman/listinfo/pws > _______________________________________________ Pws mailing list Pws@cc.gatech.edu https://mailman.cc.gatech.edu/mailman/listinfo/pws
