Re: [Full-disclosure] UNSUBSCRIBE
Do you know how to use a list? Do you think there are a bunch of monkeys sitting at the other end of the list who are constantly monitoring who sends what and would unsubscribe someone as soon as they see a post with UNSUBSCRIBE message? No! You need to unsubscribe using a well defined procedure. Do you know how to use Google or are you a clown who escaped from the village circus? On 10/9/07, sushil Agarwal [EMAIL PROTECTED] wrote: UNSUBSCRIBE please dont send me any mail now onwards ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow
V - EXPLOIT CODE An exploit for this vulnerability has been developed but will not released to the general public at this time. Don't ever release that to general public. Why would we like to run rm -rf / in such a funny way? I can type the command in the shell if all I want to do is attack myself. ;-) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] BLOGGER XSS VULNERABILITY
Comments do not allow javascript. Safe!!! On 8/13/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On Sun, 12 Aug 2007 21:41:05 +0530, Susam Pal said: But I am the only one who is inserting the JavaScript in my blog. So, I'll end up stealing the cookies set for my domain. Why would I steal cookies set for my domain? I already know them because it is my website. Obviously, your blog doesn't allow any users to comment... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] HomestayFinder XSS Vulnerability in Wikipedia Mirror
It works for me. JS enabled in your browser?
On 7/11/07, Matjaz Debelak [EMAIL PROTECTED] wrote:
Well, it does not appear to work for me in any browser (tested Firefox
2.0.0.3 and Konqueror).
LP Killer_X
Susam Pal wrote:
There is an XSS vulnerability in HomestayFinder's 'Dictionary.aspx'
script which is responsible for mirroring the content of Wikipedia. I
found this interesting because here a script injected in one website
exploits an XSS vulnerability in another website.
I am including only a short example to demonstrate the issue. The
complete document is available at:-
http://susam.in/security/advisory-2007-07-11.txt
http://en.wikipedia.org/wiki/User:Susam_pal/Sandbox consists of the
following as the source wiki markup:
scriptalert('XSS Demo')/script
http://www.homestayfinder.com/Dictionary.aspx?q=User:Susam_pal/Sandbox
consists of the same code as HTML without the special characters encoded
as HTML entities. Hence, the script is executed on the browser of the
visitor.
Contact Information:-
Susam Pal
[EMAIL PROTECTED]
http://susam.in/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] HomestayFinder XSS Vulnerability in Wikipedia Mirror
http://www.homestayfinder.com/Dictionary.aspx?q=User:Susam_pal/Sandbox
now redirects to
http://www.inglesnoexterior.com/dictionary.aspx?q=User:Susam_pal/Sandbox
Vulnerable script moved to another domain. To protect the cookies of
homestayfinder.com???
Wondering whether this kinda attack would be called persistent XSS or
something else? This is a case where the attack vector goes into one
site and the vector exploits another site. How to classify this?
On 7/11/07, Susam Pal [EMAIL PROTECTED] wrote:
Hi Matjaz,
I just checked it and I find it to be working with the browsers I have
(tested with Firefox 2.0.0.3 and Internet Explorer 7).
http://www.homestayfinder.com/Dictionary.aspx?q=User:Susam_pal/Sandbox
demonstrates the vulnerability.
http://en.wikipedia.org/wiki/User:Susam_pal/Sandbox is the page where
the script is hosted. The script present in Wikipedia exploits the XSS
vulnerability in HomestayFinder's Dictionary.aspx script.
Regards,
Susam Pal
Matjaz Debelak writes:
Well, it does not appear to work for me in any browser (tested Firefox
2.0.0.3 and Konqueror).
LP Killer_X
Susam Pal wrote:
There is an XSS vulnerability in HomestayFinder's 'Dictionary.aspx'
script which is responsible for mirroring the content of Wikipedia. I
found this interesting because here a script injected in one website
exploits an XSS vulnerability in another website.
I am including only a short example to demonstrate the issue. The
complete document is available at:-
http://susam.in/security/advisory-2007-07-11.txt
http://en.wikipedia.org/wiki/User:Susam_pal/Sandbox consists of the
following as the source wiki markup:
scriptalert('XSS Demo')/script
http://www.homestayfinder.com/Dictionary.aspx?q=User:Susam_pal/Sandbox
consists of the same code as HTML without the special characters encoded
as HTML entities. Hence, the script is executed on the browser of the
visitor.
Contact Information:-
Susam Pal
[EMAIL PROTECTED]
http://susam.in/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
