Jamie Heilman wrote:
Chris Withers wrote:

The patch means that auth creds are never sent, only an auth token that's valid for 20 mins or so, or you could set it to less.

The token *is* the cred in that scenario, you can't not send some form

Can you explain the XSS risk when a client user is not permitted to write HTML content to be stored by the app?

The malicious code doesn't have to be stored in the app being attacked. Typically its part of a URI pointing to the app to attack and includes the xss payload. That URI however could be found any number of places... social engineering usually comes into play then to get the victim to click on it. While its typically easier to convince users to click a link if it comes from the same site it appears to be going to, (think about message board systems like slash where where hyperlinks in comments are usually suffixed by [domain.com] to give the user the ability to avoid goatse and such) in the end, what dictates the likelyhood of attack is the value of the service more than anything. [Sadly this doesn't dictate the likely hood of XSS holes getting reported on security lists, where people frequently post every about silly little backwater application they can find.]

Yup. I worry hard about XSS when it comes to my banking, my credit cards, my taxes; I don't much care when it comes to a news site.

restrictions, etc. but few people will go through the trouble, and I'd
wager most people using the various cookie-based auth folder products
don't even know the risks.

This I'd agree with, but I find the argument "this car's breaks only let me stop in 1 mile, so there's no point in changing them so I can stop in 0.5 miles" a poor one...

Well, knock yourself out, I mean, clearly auth techniques based around
cookies need a lot of additional protection.  Those same protections,
if written modularly, can usually be used to bolster HTTP auth as
well, so there's no harm in writing them.  Its convincing people to
actually use the damned things thats the problem.

Right, mostly for the same reasons you point out above: the perceived threat isn't enough to warrant the pain.

Tres Seaver                                [EMAIL PROTECTED]
Zope Corporation      "Zope Dealers"       http://www.zope.com

Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Reply via email to