Due to security reasons many Web Browsers doesn't allow cross
domain XMLHttpRequests. In fact this is only troublesome for web
developers and not for virus coders/crackers/etc. Some time ago there
was presetened a technic which used cssText property to perform some
cross domain requests. After
Michal Majchrowicz wrote:
Due to security reasons many Web Browsers doesn't allow cross
domain XMLHttpRequests.
[..]
hi Michal, personally i don't get your point (to me it seems just
an hybrid implementation using both server side and client side
scripting) but i'm sure you can better explain
Hi.
Thanks for showing this vulnerability :) In fact it was not supposed
to be safe, but now it shoud be :) You are right this is not a
vulnerability by itself but it gives an attacker a very usefull tool
for attackers/trojans to perform Real Time Attacks on users browser.
Regards Michal.
On
Hello,
Thanks for showing this vulnerability :) In fact it was not supposed
to be safe, but now it shoud be :) You are right this is not a
adding
if(strstr($_GET['url'],file:))
die;
is not safe at all...
Regard,
Stefan
___
Hi,
Thanks for suggestion. Please try it now :)
But as I said before this script WASN'T INTENDED to be safe at all :)
I wanted to show that it is posssible to perform some kind of Cross
Domain Requests. Thats all :)
Regards Michal.
On 4/15/07, Stefan Esser [EMAIL PROTECTED] wrote:
Hello,
On Sun, 15 Apr 2007, Michal Majchrowicz wrote:
I wanted to show that it is posssible to perform some kind of Cross
Domain Requests.
As much as I loathe the origin-based security model of modern web
browsers, there are semi-valid reasons why XMLHttpRequest is restricted
the way it is.
A remote
Hi.
I think it is security matter. I don't think that whole
XMLHttpRequests should be cross domain. Just a small part of it...
Using my script you can create an evil javascript code that will
interact with user in real time. You can create (I already did it) a
script that will contact some kind of