On 1/20/06, MuNNa <[EMAIL PROTECTED]> wrote: > Hii > > ->Why would he be concerned? The problem is that most sites on the > internet suffer from XSS vulenrabilities, its just that nobody cares > because there is nothing to gain from the sites. Nothing to gain you > say? Yes. Let's take this site you posted about for example, I > didn't look over the entire site, but glancing I don't even see > anything which XSS would help you compromise. The site seemingly is > all static content (minus a search, correct me if I'm wrong) with no > e-mail portal, forums, or anything else that the XSS could be > leveraged to gain access to. Since the site offeres no direct > services (right?) what exactly could you trick people into doing here? > The session cookie seems worthless since there's no login or > anything... > > I have clearly mentioned in the disclosure that this Xss is not harmful for > server side but you can target a lot of people, using this website. If you > have completly read my disclosure mail, i have mentioned in the end that a > lot of people seeking job can be targeted. I can say this because i know the > value of this organisation from point of placements. Morever this > organisation provides security solution to other companies. From the point > of comapny's security everything is fine but from the point of its social > image......
Okay. > > > ->Which would be meaningful if: > A) this site were used by millions of people > B) there was something worth compromising the site for (like access to > webmail, personal information, etc...) > I think what I'm missing here is why this particular XSS is useful in > any way shape or form? Am I missing something significant about > this site? Do people trust it for something? > > As explained before , it can attract a lot of job-seekers. Millions of them. > They trust this organisation. Even i do very much. > Okay see that's why I asked since this site is used by millions of people that actually answers my question. Thank you. > ->Isn't that what you are doing? > > I just posted a disclosure which i felt could be used by some bad guy to > target innocent people.If anyone felt that this disclosure is some sort of > spam and is really harmless, just discard it. Atleast i dont spam here by > bashing someone else who has posted some disclosure. This bashing attitude > reflects Lamer qualities and this discourages others from mailing > disclosures. > Yeah I actually felt bad after I wrote that line, I jsut didn't understand how his repsonse contributed to spam and yours didn't, know what I mean? > Hope i answered all your answers. Lets cut down the argument here. > You did, and thouroughly! I thank you! > Regards; > > Santosh J > You da man, Stan > On 1/20/06, Stan Bubrouski <[EMAIL PROTECTED]> wrote: > > On 1/19/06, MuNNa <[EMAIL PROTECTED]> wrote: > > > > > > Hahaha ... native code doesnt seem to understand the meaning of Xss and > why > > > it can be of security concern. Here not only url re-direction is > possible > > > > Why would he be concerned? The problem is that most sites on the > > internet suffer from XSS vulenrabilities, its just that nobody cares > > because there is nothing to gain from the sites. Nothing to gain you > > say? Yes. Let's take this site you posted about for example, I > > didn't look over the entire site, but glancing I don't even see > > anything which XSS would help you compromise. The site seemingly is > > all static content (minus a search, correct me if I'm wrong) with no > > e-mail portal, forums, or anything else that the XSS could be > > leveraged to gain access to. Since the site offeres no direct > > services (right?) what exactly could you trick people into doing here? > > The session cookie seems worthless since there's no login or > > anything... > > > > > but also execution of malicious javascripts is possible.Your Lame reply > > > > Which would be meaningful if: > > A) this site were used by millions of people > > B) there was something worth compromising the site for (like access to > > webmail, personal information, etc...) > > > > I think what I'm missing here is why this particular XSS is useful in > > any way shape or form? Am I missing something significant about > > this site? Do people trust it for something? > > > > > makes me think that you are one of the following: > > > 1.An employee of MBT criticising me in the interest of the company > 'or' > > > 2.A poor spammer who doesnt know anything but tries to shows-off as if > he is > > > the MASTER. If this is the case carry on with your spamming business and > > > good luck for your future. > > > > Isn't that what you are doing? > > > > -sb > > > > > > > > Regards; > > > Santosh J. > > > > > > > > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/