CookieCuller is a nice easy way to inspect this property of cookies.
You should check your banks :)
Security is a hobby of mine - unfortunately I have neither the
interest nor the time to produce a proof of concept of this attack.
Quite frankly, I'd rather spend my free time helping to improve the
Tor network, rather than releasing attacks that may compromise its
users or the general public. My reluctance to release does not stem
from any particular moral opposition to full disclosure. If google and
other sites continue to ignore this issue, I may be motivated to make
a release. It is very likely "bad guys" will beat me to it anyway,
A wise deadite captain once yelled "Cry Havoc and let loose the Dogs of War!".
Quite frankly, we couldn't have said it better ourselves:
~~ ~~
|| ||
@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@\___
@@@@@@@@@@@@@@@@@@ \
@@@@@@@@@@@@@@@@@ X___/
Regarding this report of May 2008:
http://www.securityfocus.com/bid/29276
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2392
The report is invalid. This is not a vulnerability or a security flaw. Quite frankly, I think it's a joke.
The report itself states: "You must login into wordpress with Administrator Roles". If you have logged into WordPress with Admin roles, then you are the blog owner or administrator. The fact that you can then upload any sort of file you want is a feature, not a bug. The admin has unlimited rights to the site, because he is the admin. Obviously.
Suggest this be marked as invalid everywhere it's been incorrectly marked as valid.
degrees from massive insecurity, this vector isn't the biggest problem you
have.
As to having to sometimes log into the console, I didn't say it was absurd,
but I did point out that it was trivial to disable the threat if you do:
don't run the guest utilities. Problem solved. And, quite frankly, how
much value do the guest utilities really provide? Is there a single
application you can think of that needs it in order to run? If it did then
you've found where the emulation and virtualization wasn't complete.
> Whether it affects you personally or not, it certainly is helpful to know
