Re: [WEB SECURITY] Firefox CSS flaws

["Michael Vergoz" <mv@xxxxxxxxxxxxx>]

Hi Brain,

Thanks for your small PoC :)
It is also possible to use the end-users (as rebound) to attack another Web 
server by exploiting the URIs.

> > Scary stuff
Oh yes it is, This is really serious.

Thanks,
Michael Vergoz

----- Original Message ----- 
From: "Brian Eaton" <eaton.lists@xxxxxxxxx>
To: <gaz_sec@xxxxxxxxxxxx>
Cc: <websecurity@xxxxxxxxxxxxx>
Sent: Saturday, August 25, 2007 9:23 PM
Subject: Re: [WEB SECURITY] Firefox CSS flaws


> On 8/24/07, gaz_sec@xxxxxxxxxxxx <gaz_sec@xxxxxxxxxxxx> wrote:
> > I've written a CSS LAN scanner in pure CSS without Javascript. It
> > is possible to scan local addresses, store the result or even check
> > any url has been visited all without javascript!
> >
> > http://www.businessinfo.co.uk/labs/css_lan_scan/css_lan_scanner.php

> Didn't work for me, though from looking at the HTML I think it might
> work in some LANs.
>
> You seem to be relying on default IP addresses as a way of
> fingerprinting routers.  Any more to it than that?
>
> Cheers,
> Brian
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]