subject:"Re\: \[fossil\-users\] XSS attack and fossil hosting services"

Re: [fossil-users] XSS attack and fossil hosting services

2017-04-03 Thread Warren Young

On Apr 3, 2017, at 11:15 AM, Eduard wrote: > > Evil-user then convinces > good-user to visit evilproject while logged into goodproject Ah, I see. Yes, I agree now. >>> (Another way to fix it is by giving each repository a separate subdomain >> >> ...run as a

Re: [fossil-users] XSS attack and fossil hosting services

2017-04-03 Thread Eduard

On 04/03/2017 02:16 AM, Warren Young wrote: > On Apr 2, 2017, at 9:28 PM, Eduard wrote: >> >> An attacker can place malicious javascript at the top of every page > > Certainly. > >> they could, for example, change the victim's password > > Doesn’t the login

Re: [fossil-users] XSS attack and fossil hosting services

2017-04-03 Thread Stephan Beal

On Mon, Apr 3, 2017 at 5:28 AM, Eduard wrote: > Hi, > > I recently realized that fossil repository hosting websites (such as > chiselapp and hydra > ) are vulnerable to arbitrary HTML > injection (XSS) as

Re: [fossil-users] XSS attack and fossil hosting services

2017-04-03 Thread Warren Young

On Apr 2, 2017, at 9:28 PM, Eduard wrote: > > An attacker can place malicious javascript at the top of every page Certainly. > they could, for example, change the victim's password Doesn’t the login cookie prevent the hosted user from doing that to any but

Re: [fossil-users] XSS attack and fossil hosting services

Re: [fossil-users] XSS attack and fossil hosting services

Re: [fossil-users] XSS attack and fossil hosting services

Re: [fossil-users] XSS attack and fossil hosting services

4 matches

Site Navigation

Mail list logo

Footer information