[Phpmyadmin-devel] Re: [Phpmyadmin-users] bugs recently published on securityfocus are true?

Michal Cihar nijel at users.sourceforge.net
Wed Jun 18 14:32:05 CEST 2003


On Wednesday 18 of June 2003 23:07, Garvin Hicking wrote:
> >> Most actions need a valid 'session' to
> >> execute cross-site scripting, which is not *that* serious.
> >
> > Maybe even worse, you can include javascript that will read cookies with
> > login and password...
>
> I don't know if I understand that correctly: You can only read your own
> cookies with JavaScript, and you know that password already. Because when
> others open a PMA page without a login, they only access their empty
> cookie, right?

You know that somebody is using phpMyAdmin with cookie auth (maybe also http, 
I'm not sure about JS possibilities in this way) on some url, you make him 
somehow click on link you've created (it is not as hard as it seems for most 
users) and you've got his login/password...

-- 
Regards
	Michal Cihar
	nijel at users dot sourceforge dot net
	http://cihar.liten.cz





More information about the Developers mailing list