2007/10/10, Can Erkin Acar <[EMAIL PROTECTED]>: > > Anton Karpov <[EMAIL PROTECTED]> wrote: > > > In this case, if you have some web application on the same > *domain name* then the XSS can be used to take control of the > user session on the application. Especially fun for isp/hosting > kind of settings where you have customer management and > troubleshooting (looking glass etc.) services side by side. > > Can
Yes, I', aware of it, I just forgot about situation when you can really give access to bgplg to [stupid] clients/users, which are not too smart to look into the url, use firefox/noscript, etc ;) To make things clear (as I see cvs commit logs), originally this bug was found by my colleague Alexander Polyakov, and I just mention it on misc@