Hi, The advisory is relevant to TurboGears, which returns JSON data. If you have a JSON method that returns confidential data to a logged on user, a malicious website could harvest this. It is not FUD - at least one site I've developed was vulnerable. You could harvest the company's internal contact list.
A quick fix at the TG level would be to have JSON controllers only return JSON for POST requests. Paul On 4/3/07, Bob Ippolito <[EMAIL PROTECTED]> wrote: > > > Not really. That exploit only applies to people returning arrays from > server-side stuff and has absolutely no implications whatsoever for > client-side toolkits such as MochiKit. It's mostly FUD. > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
