Yes, sorry, that's what I was refering too about the "old problem". Should have been a bit clearer.
It only works on "shared" sites. Karl Rudd On 4/3/07, Ⓙⓐⓚⓔ <[EMAIL PROTECTED]> wrote:
Or is it the old problem with domain wide cookies? I give a cookie for x.com on jake.x.com and you read my cookie on karl.x.com? You still can't ajax to jake.x.com. It sounds like disinformation to me! On 4/2/07, Karl Rudd <[EMAIL PROTECTED]> wrote: > > Bah, it's not a new vulnerability, it's always been there and always > been known about. > > I call FUD on this. > > The following is an excerpt that is the keystone of the whole thing: > > "In an example attack, a victim who has already authenticated > themselves to an Ajax application, and has the login cookie in their > browser, is persuaded to visit the attacker's web site. This web site > contains JavaScript code that makes calls to the Ajax app. Data > received from the app is sent to the attacker." > > Firstly _don't visit suspect sites_. > > Secondly their "example attack" is flawed. As far as I'm aware > JavaScript code on one page does not have access to the cookies of > other webpages. If it does it's a security flaw in the browser, > nothing a JavaScript library can do about it. > > Karl Rudd > > On 4/3/07, Kush Murod <[EMAIL PROTECTED]> wrote: > > > > Hi guys, > > > > Article below says all big JS Libraries are vulnerable including JQuery > > I didn't quite understand the article, but was hoping for some feedback > > on it > > > > http://www.cbronline.com/article_news.asp?guid=484BC88B-630F-4E74-94E9-8D89DD0E6606 > > > > > > Cheers, > > > > -- > > Kush Murod, Web applications developer > > Sensory Networks > > [E] [EMAIL PROTECTED] > > [W] www.sensorynetworks.com > > [T] +61 2 8302 2745 > > [F] +61 2 9475 0316 > > [A] Level 6, 140 William Street East Sydney 2011 > > > > > -- Ⓙⓐⓚⓔ - יעקב ʝǡǩȩ ᎫᎪᏦᎬ
