Re: Wbb 2.3. xss

To: r57shell@xxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Wbb 2.3. xss
From: Adrian <adrian@xxxxxxxxxxxxxxxx>
Date: Sat, 4 Mar 2006 20:32:03 +0100
In-reply-to: <20060304174215.26998.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20060304174215.26998.qmail@xxxxxxxxxxxxxxxxx>
Reply-to: Adrian <adrian@xxxxxxxxxxxxxxxx>

Thats not a real problem.
You need a valid acp session id which is impossible to get unless you
compromise the system of an administrator (it's not stored in a
cookie).
Additionally it's in the admin cp, so it's not exploitable by bad
people unless you give them acp access.

References:
- Wbb 2.3. xss
  - From: r57shell

Prev by Date: Re: Various router DoS
Next by Date: vulnerability in the IE Java applet initialization engine
Previous by thread: Wbb 2.3. xss
Next by thread: Visual Studio 6.0 Buffer Overflow Vulnerability
Index(es):
- Date
- Thread