Bugtraq mailing list archives
RE: Circumventing CSFR Form Token Defense
From: "James C. Slora Jr." <james.slora () phra com>
Date: Thu, 11 Jan 2007 08:59:09 -0500
bugtraq () phihag de wrote Tuesday, January 09, 2007 7:21 PM
Testing (only with IE, Firefox, Opera and Konqueror so far) I found no way how to circumvent the restrictions of *reading* requested pages from JS - setting up the request works, but attempts to read the document (embedded in an frame/object*/iframe) failed with some "access denied" exception (FF,Opera: exception, Konqueror: undefined values, IE: Strange errors) when domain names do not match.
*except IE
Does this mean that Object works to exploit IE?
Current thread:
- Circumventing CSFR Form Token Defense Jim Manico (Jan 09)
- Re: Circumventing CSFR Form Token Defense Florian Weimer (Jan 10)
- Re: Circumventing CSFR Form Token Defense Peter Watkins (Jan 10)
- <Possible follow-ups>
- Re: Circumventing CSFR Form Token Defense bugtraq (Jan 10)
- RE: Circumventing CSFR Form Token Defense James C. Slora Jr. (Jan 11)