 BlackbirdBuilt for SpeedPremium
join:2005-01-14
Fort Wayne, IN
kudos:3
 ·Frontier Communi..
| reply to therube
Re: Universal XSS in Opera said by therube: ...I really wasn't expecting that.
I was expecting that it might say wikimedia.com or even wikipedia.com.
So it appears that it can only "swipe the cookies" from the URL shortening service you happened to use, so like who cares.
If that is the extent of it, then to me it is a non-issue.
In the interests of clarity, I did fail to earlier include that when I initially clicked on your tinyurl link, I was taken directly to a Wikipedia log-in page, then entering your suggested address box text resulted in the alert box I've described (along with the page darkening).
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775 |
|
|
|
 Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | did you see the guy banging his head in the dark ? |
|
BlackbirdBuilt for SpeedPremium
join:2005-01-14
Fort Wayne, IN
kudos:3 Reviews:
·Frontier Communi..
| said by Name Game:did you see the guy banging his head in the dark ?
Uhmm... other than me banging my head? When I click on the "proceed to this site" link on that page, all I get is a similar JavaScript alert box to what I described above, only this box lists: quote:
JavaScript
(tinyurl.com)
tinyurl.com
[ ]Stop executing scripts on this page [OK]
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775 |
|
 therube
join:2004-11-11
Randallstown, MD | reply to Blackbird
> when I initially clicked on your tinyurl link, I was taken directly to a Wikipedia log-in page
Not exactly.
I'm not sure exactly where you were "taken".
It is more that you were "displayed" a page representative of Wikipedia's log-in page.
(And it probably works too?)
If it were Wikipedia, javascript:alert(document.domain) would have said so.
And for clarity, my "therube" page is the same as what was discussed in this thread, »Firefox, Opera allow crooks to hide an entire phish site. |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | Therube, Translated to english with Chrome then pasted in an .rtf and zipped attached. |
|
BlackbirdBuilt for SpeedPremium
join:2005-01-14
Fort Wayne, IN
kudos:3 Reviews:
·Frontier Communi..
| reply to therube
said by therube:... It is more that you were "displayed" a page representative of Wikipedia's log-in page.
(And it probably works too?)
If it were Wikipedia, javascript:alert(document.domain) would have said so.
... Your first sentence is correct. The red Opera badge does appear to the left of the Wikipedia "page" address (indicating it was not a webpage accessed in a normal browser manner). Frankly, I paid little attention to the Wiki "page" itself or any badging initially, in my eagerness to get your text entered correctly into the address box after it appeared, and because I was instead looking for some kind of Javascript alert box to appear - which it did, when I entered the text. Needless to say, I was looking for the wrong thing. (Not the first time... and probably not the last  )
So... whatever you set up at tinyurl does create the appearance of a Wiki "page" in Opera, although Opera badges it as an internal-created browser display (the data URI behavior). In playing around to see what the Wiki "page" would do if I tried to log in, it immediately coughed up more of the JavaScript alert boxes no matter what I attempted to enter. Also, clicking on any links on the "page" resulted in an Opera error message about "unsupported address type."
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775 |
|
