Yes, I see where you are going, but to be precise, and I think we should so that people do not start saying 'Django is susceptible to XSS!' it is the other site that would most likely be vulnerable to XSS. You would have to go to that site and click a link imbedded somewhere, and then for no apparent reason, have your own django admin login presented to you, log in and then it would send something, presumably your django session id, somewhere else. This is pretty much just an overly complext XSS attack on the first site, to gain django credentials, but does not constitute a Django XSS attack. Perhaps we could say that Django is susceptible to a new class of attack, but it is not XSS, nor XSRF. I vote we call it either 'ICXSRA' (for Inconveniently Complex Cross Site Reception Attack), or 'joe'. You pick. -richard
On 5/7/08, James Bennett <[EMAIL PROTECTED]> wrote: > > On Wed, May 7, 2008 at 3:18 PM, Richard Dahl <[EMAIL PROTECTED]> wrote: > > If I said that this condition is indicative of an XSS attack vector I > > may as well say that Apache is vulnerable to a Denial of Service > > attack because 'after I ran apachectl stop, I could no longer get to > > my website' > > No, because someone else could put a link on their site to my admin > with this sort of thing embedded. Yeah, it's a big reach in terms of > the user needing to be completely braindead to fall for it, but it's > possible and so we need to take it seriously. > > > -- > "Bureaucrat Conrad, you are technically correct -- the best kind of correct." > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
