[Phpmyadmin-devel] Re: [Phpmyadmin-users] bugs recently published on securityfocus are true?
Michal Cihar
nijel at users.sourceforge.net
Wed Jun 18 14:32:05 CEST 2003
On Wednesday 18 of June 2003 23:07, Garvin Hicking wrote:
> >> Most actions need a valid 'session' to
> >> execute cross-site scripting, which is not *that* serious.
> >
> > Maybe even worse, you can include javascript that will read cookies with
> > login and password...
>
> I don't know if I understand that correctly: You can only read your own
> cookies with JavaScript, and you know that password already. Because when
> others open a PMA page without a login, they only access their empty
> cookie, right?
You know that somebody is using phpMyAdmin with cookie auth (maybe also http,
I'm not sure about JS possibilities in this way) on some url, you make him
somehow click on link you've created (it is not as hard as it seems for most
users) and you've got his login/password...
--
Regards
Michal Cihar
nijel at users dot sourceforge dot net
http://cihar.liten.cz
More information about the Developers
mailing list