XSS Vulnerabilities Reviewed and Re-Classified

An anonymous reader writes "Security Analysts at NeoSmart Technologies have revisited the now-famous XSS-type security vulnerabilities and attempted to re-classify their status as a security vulnerability. The argument is that XSS vulnerabilities are not a mark of bad or insecure code but rather a nasty but unavoidable risk that's a part of JavaScript - and that even then, XSS 'vulnerable' sites are no less dangerous or vulnerable at heart." Are they unavoidable, or just a symptom of lazy coding, or both?

Pardon Me?

[drpimp]

If it was only Javascript that would be one thing. But when some one can "include" say a remote PHP file, I believe this is still considered XSS, maybe just another class of XSS. This is when it becomes an issue. It can allow a user to run arbitrary commands as the web server user, or what ever user that PHP is running as. Next thing you know, if your system is not harded properly, you have remote IRC pipes or shells sending data to/from your server to some remote host. It's a much bigger problem than expressed in the article. Buzzword maybe, but buzzword or not, still has potentially vulnerable security implications.

Re:Pardon Me?

[dvaldenaire]

Could you explain how you manage to post BEFORE my answer ?

another TLA starting with X?

[m4c+north]

Taking the liberty to change T to trendy, sounds like XSS would fit in nicely with XHTML, XML, Xbox, Xmen, X11, Xray, and heaps of others as "X Something Something". Maybe we should ask Homer?