> Although very simular to XSS writting SSI, PHP, or any other kind of server > side language is not XSS, but rather a remote file writting vulnerability. > The difference is there and I don't feel we should confuse the two. I am > not sure if you would call client side scriptting that is saved to a file on > the server XSS, but I personally do not count it as such. I don't agree at all, if anything, grabbing a file from another site and executing php in it is more XSS as I understand it, since you're 'crossing' servers to get the code. If this isn't XSS then what about reaching to another domain to download a .js file for execution, like the recent vulnerabilities on online news pages? Perhaps there should be different terms for clientside/serverside XSS vulns but i feel they fall under the same category. Harry
This archive was generated by hypermail 2b30 : Thu Mar 21 2002 - 10:48:51 PST