Re: [WebDNA] Security Problem

This WebDNA talk-list message is from

2015


It keeps the original formatting.
numero = 112350
interpreted = N
texte = --Apple-Mail=_6BD30442-D6BC-4F9F-A7D2-35D028CFEEFF Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Some further reading: http://www.veracode.com/security/csrf = The proposed WebDNA session id would help to combat this small but = viable security risk. Kind regards Stuart Tremain IDFK Web Developments AUSTRALIA webdna@idfk.com.au > On 15 Jun 2015, at 10:58, Stuart Tremain wrote: >=20 > I just came across this on Firefox (must be firefox) on a client=E2=80=99= s website >=20 >=20 > http://yourdomain.com/?test=3D = " >=20 > This can be a problem in that an attacker can redirect Cookies on his = own website to Hijack account of victim by sending affected Link. >=20 > I know that it is very remote but it is a known vulnerability. >=20 >=20 >=20 > Kind regards >=20 > Stuart Tremain > IDFK Web Developments > AUSTRALIA > webdna@idfk.com.au >=20 >=20 >=20 >=20 >=20 > --------------------------------------------------------- This message = is sent to you because you are subscribed to the mailing list . To = unsubscribe, E-mail to: archives: = http://mail.webdna.us/list/talk@webdna.us Bug Reporting: = support@webdna.us --Apple-Mail=_6BD30442-D6BC-4F9F-A7D2-35D028CFEEFF Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Some further reading:


The proposed WebDNA = session id would help to combat this small but viable security = risk.


Kind regards

Stuart Tremain
IDFK Web Developments
AUSTRALIA





On 15 Jun 2015, at 10:58, Stuart Tremain <webdna@idfk.com.au> = wrote:

I just came = across this on Firefox (must be firefox) on a client=E2=80=99s = website


http://yourdomain.com/?test=3D"</script><img = src=3Dx onerror=3Dalert(document.cookie)>

This can be a problem in that = an attacker can redirect Cookies on his own website = to Hijack account of victim by sending affected Link.

I know that it is very remote but it = is a known vulnerability.



Kind regards

Stuart Tremain
IDFK Web Developments
AUSTRALIA





--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us

= --Apple-Mail=_6BD30442-D6BC-4F9F-A7D2-35D028CFEEFF-- Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] Security Problem (Tom Duke 2015)
  2. Re: [WebDNA] Security Problem (Stuart Tremain 2015)
  3. [WebDNA] Security Problem (Stuart Tremain 2015)
--Apple-Mail=_6BD30442-D6BC-4F9F-A7D2-35D028CFEEFF Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Some further reading: http://www.veracode.com/security/csrf = The proposed WebDNA session id would help to combat this small but = viable security risk. Kind regards Stuart Tremain IDFK Web Developments AUSTRALIA webdna@idfk.com.au > On 15 Jun 2015, at 10:58, Stuart Tremain wrote: >=20 > I just came across this on Firefox (must be firefox) on a client=E2=80=99= s website >=20 >=20 > http://yourdomain.com/?test=3D = " >=20 > This can be a problem in that an attacker can redirect Cookies on his = own website to Hijack account of victim by sending affected Link. >=20 > I know that it is very remote but it is a known vulnerability. >=20 >=20 >=20 > Kind regards >=20 > Stuart Tremain > IDFK Web Developments > AUSTRALIA > webdna@idfk.com.au >=20 >=20 >=20 >=20 >=20 > --------------------------------------------------------- This message = is sent to you because you are subscribed to the mailing list . To = unsubscribe, E-mail to: archives: = http://mail.webdna.us/list/talk@webdna.us Bug Reporting: = support@webdna.us --Apple-Mail=_6BD30442-D6BC-4F9F-A7D2-35D028CFEEFF Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Some further reading:


The proposed WebDNA = session id would help to combat this small but viable security = risk.


Kind regards

Stuart Tremain
IDFK Web Developments
AUSTRALIA





On 15 Jun 2015, at 10:58, Stuart Tremain <webdna@idfk.com.au> = wrote:

I just came = across this on Firefox (must be firefox) on a client=E2=80=99s = website


http://yourdomain.com/?test=3D"</script><img = src=3Dx onerror=3Dalert(document.cookie)>

This can be a problem in that = an attacker can redirect Cookies on his own website = to Hijack account of victim by sending affected Link.

I know that it is very remote but it = is a known vulnerability.



Kind regards

Stuart Tremain
IDFK Web Developments
AUSTRALIA





--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: archives: http://mail.webdna.us/list/talk@webdna.us Bug Reporting: support@webdna.us

= --Apple-Mail=_6BD30442-D6BC-4F9F-A7D2-35D028CFEEFF-- Stuart Tremain

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

WebCatalog for Postcards ? (1997) 2.0 Info (1997) Emailer problem with WC 2.1, NT, WebSite 2.1 (1998) I found a bug ... (1997) Bit off subject -- Faxing orders (1997) Navigator 4.01 (1997) cart token (2000) Trunk-gator (1997) test (2000) Same Table Opened Twice (2003) 2.0.1 new commands and contexts (1997) New York City sales tax database needed (1997) SetLineItem (1997) 301 redirect (2008) Frames and WebCat (1997) Emailer setup (1997) Signal Raised Error (1997) supressing math results (1997) WebMerchant 1.6 and SHTML (1997) Grep Help (2007)