As it turns out the Postnuke issue in particular is a red herring. As the lead developer describes it -- the cookie generated is a local site cookie that is sandboxed within the confines of the browser/session. It is not the remote user's cookie. It is easy to be fooled by such a vulnerability if the local site cookie is empty as well as the remote user's cookie. Some conditions can generate the exact same look and feel. Be warned that all instances of scriptable java within URL/HTML constructs (even with document.cookie) may be not really be an XSS issue even if it walks talks and acts like an XSS bug. Only carrying out the full exploit (cookie theft/account hijack would prove if it is really an issue in these cases. However, I chose the alternative and obtained feedback from the author. [The feedback came much later then post to bugtraq, there was such a long delay I thought the post was moderated -- since it did get posted, this message serves as a correction.] -- Mark Grimes <mark@stateful.net> Stateful Labs
