mailing list archives
Can everyone stop posting fake Yahoo XSS vulns?
From: n3td3v <n3td3v () gmail com>
Date: Tue, 18 Apr 2006 18:09:57 +0100
I complained to Securityfocus for letting
http://www.securityfocus.com/archive/1/431039 this one through. The
"done=" thing is on purpose and is there by design, there is no threat
per say, and it won't be fixed, because theres nothing to fix. Folks
complained about something similar years ago with the rd.yahoo.com
thing, which had more substance to it than the recent "done=" thing.
If done= was a real potential threat it would have been sorted years
ago. Every hacker on the planet, including Yahoo security team know
you can add -any- address onto there, it is not xss
Please read what XSS is before you post.
You can claim a phishing vector with your fake vuln, but you can't
claim cross-site scripting.
Title your "Advisories" in the correct way, its misleading to cry
"XSS" at every phishing vector, which doesn't infact involve XSS in
its true meaning.
And i'm posting this here, because Securityfocus didn't believe in
freedom of speech when I sent a similar message in reply of the
Just don't cry wolf too many times with XSS...
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Can everyone stop posting fake Yahoo XSS vulns? n3td3v (Apr 18)