On Apr 3, 2007, at 12:10 PM, Bob Ippolito wrote:
> > Are you sure it's vulnerable? If you return a JSON object, it is not > vulnerable. JSON objects are only valid expressions, not statements, > so they are simply an error when sourced with a script tag. > > You are ONLY vulnerable if you [return, an, array] as the outer-most > JSON object. Are not all JSON objects associative arrays ? > > -bob > > On 4/3/07, Paul Johnston <[EMAIL PROTECTED]> wrote: >> Hi, >> >> The advisory is relevant to TurboGears, which returns JSON data. >> If you have >> a JSON method that returns confidential data to a logged on user, a >> malicious website could harvest this. It is not FUD - at least one >> site I've >> developed was vulnerable. You could harvest the company's internal >> contact >> list. >> >> A quick fix at the TG level would be to have JSON controllers only >> return >> JSON for POST requests. >> >> Paul >> >> >> >> On 4/3/07, Bob Ippolito < [EMAIL PROTECTED]> wrote: >>> >>> Not really. That exploit only applies to people returning arrays >>> from >>> server-side stuff and has absolutely no implications whatsoever for >>> client-side toolkits such as MochiKit. It's mostly FUD. >>> >> >> >>> >> > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
