2007/10/10, Can Erkin Acar <[EMAIL PROTECTED]>:
>
> Anton Karpov <[EMAIL PROTECTED]> wrote:
>
>
> In this case, if you have some web application on the same
> *domain name* then the XSS can be used to take control of the
> user session on the application. Especially fun for isp/hosting
> kind of settings where you have customer management and
> troubleshooting (looking glass etc.) services side by side.
>
> Can



Yes, I', aware of it, I
just forgot about situation when you can really give access to bgplg
to [stupid] clients/users, which are not too smart to look into the
url, use firefox/noscript, etc ;) To make things clear
(as I see cvs commit
logs), originally this bug was found by my colleague Alexander
Polyakov, and I just mention it on misc@

Reply via email to