Re: [Full-disclosure] i hate it when some one beats me to a bug
On Thu, 2010-12-16 at 02:26 +1100, dave b wrote: I hate it when some one beats me to a bug report. https://addons.mozilla.org/en-US/firefox/user/5578717/ (this example will only work against firefox). The xss occurs due to no filtering / escaping the display name attribute for a user. Cute. Very cute. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] i hate it when some one beats me to a bug
/fixed On Wed, Dec 15, 2010 at 5:49 PM, Peter Besenbruch p...@lava.net wrote: On Thu, 2010-12-16 at 02:26 +1100, dave b wrote: I hate it when some one beats me to a bug report. https://addons.mozilla.org/en-US/firefox/user/5578717/ (this example will only work against firefox). The xss occurs due to no filtering / escaping the display name attribute for a user. Cute. Very cute. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] i hate it when some one beats me to a bug
On Thu, 16 Dec 2010 02:26:57 +1100 dave b db.pub.m...@gmail.com wrote: I hate it when some one beats me to a bug report. https://addons.mozilla.org/en-US/firefox/user/5578717/ (this example will only work against firefox). The xss occurs due to no filtering / escaping the display name attribute for a user. Sorry, Dave, that somebody beat you to it, but we definitely appreciate you taking the time to report the problem to us. Having community support in finding vulnerabilities such as the one you discovered is great to making sure users stay safe on the Web. We've just pushed out a fix for it, so the issue should now be resolved. Thanks for taking part in Mozilla's new Web Application Security Bug Bounty Program[0] (such a mouthful to say or type). Let us know if you discover any more issues, and hopefully, you'll be the first one that time. :) Have a wonderful rest of the week! ~reed Mozilla Security Group [0] http://blog.mozilla.com/security/2010/12/14/adding-web-applications-to-the-security-bug-bounty-program/ -- Reed Loden r...@reedloden.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] i hate it when some one beats me to a bug
Have a wonderful rest of the week! You too! You guys are awesome and fix things wy to fast. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/