On Wednesday 18 of June 2003 23:07, Garvin Hicking wrote:
Most actions need a valid 'session' to execute cross-site scripting, which is not *that* serious.
Maybe even worse, you can include javascript that will read cookies with login and password...
I don't know if I understand that correctly: You can only read your own cookies with JavaScript, and you know that password already. Because when others open a PMA page without a login, they only access their empty cookie, right?
You know that somebody is using phpMyAdmin with cookie auth (maybe also http, I'm not sure about JS possibilities in this way) on some url, you make him somehow click on link you've created (it is not as hard as it seems for most users) and you've got his login/password...