Full Disclosure: Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Full Disclosure mailing list archives

Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit

From: "morning_wood" <se_cur_ity () hotmail com>
Date: Sat, 30 Oct 2004 19:13:05 -0700

this is the exact ISSUE !!!
YOU SCORE BONUS POINTS!!!

Indeed, but surely the cookie information stored should be dependant on
the user's authentication details? It makes sense to use semi-dynamic
cookie information like this, making holes like this one a little more
hard to 'gain and keep' access.

there is a [x] box..

"Don't ask for my password for 2 weeks."

this sets the users cookie. Gmail uses the cookie for authentication.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

By Date By Thread

Current thread:

Slashdot: Gmail Accounts Vulnerable to XSS Exploit Shoshannah Forbes (Oct 30)
- Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit n3td3v (Oct 30)
- Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit Calum Power (Oct 30)
  - Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit morning_wood (Oct 30)
    - Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit Calum Power (Oct 30)
    - Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit morning_wood (Oct 30)
    - Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit n3td3v (Oct 30)
    - Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit Nancy Kramer (Oct 31)
    - Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit n3td3v (Oct 31)
    - Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit Jesse Ruderman (Oct 31)