Joomla! 1.6.3 and lower | Multiple Cross Site Scripting (XSS) Vulnerabilities
1. OVERVIEW
Joomla! 1.6.3 and lower are vulnerable to multiple Cross Site Scripting issues.
2. BACKGROUND
Joomla is a free and open source content management system (CMS) for
publishing content on the World Wide
I've tested the PoCs on 1.5.22 and some 1.0 sites, and I consistently get a
403 error.
Perhaps by 1.6.3 and lower you meant 1.6.x?
Cheers,
Chris.
On Tue, Jun 28, 2011 at 8:25 AM, YGN Ethical Hacker Group li...@yehg.netwrote:
Joomla! 1.6.3 and lower | Multiple Cross Site Scripting (XSS)
On Mon, Jun 27, 2011 at 8:04 PM, YGN Ethical Hacker Group li...@yehg.netwrote:
The XSS results are from purely blackbox scan on Mambo 4.6.5.
Wait, so you're telling me that you're running some program to find these
and then just reporting the results to this list? If so, please give some
Information
Name : SQL Injection and XSS discovered
Software : RG Board 2.2
Vendor Homepage : http://www.rgboard.com/
Vulnerability Type : SQL injection and XSS reflected
Severity : High
Researcher : Juan Sacco jsacco [at] insecurityresearch [dot] com
Description
Step 1: Have USD available for spending on mtgox.com.
Step 2: Put in a buy order large enough to drain your account. Low enough under
the current trading price that it will not execute immediately.
Step 3: Withdraw all USD funds.
Step 4: Wait for market to fall enough to meet your order.
Step 5:
Hi,
its kinda sstupid/s incorrect way of detecting ddos by reading http
responce.
if server says error 408, it could be just a script which takes long to
complete. if there is some caching server, e.g. nginx, before actual web
server, e.g. apache httpd, then error 502 could be a
Hello folks,
The modsecurity have a better result than mod_qos to slowloris attack,
mod_qos trend to increase the false positives because of NAT and slow
users.
If you test the R-U-D-Y, you see that, modsecurity too protect against
them.
See:
On 28/06/2011 07:25, YGN Ethical Hacker Group wrote:
Joomla! 1.6.3 and lower | Multiple Cross Site Scripting (XSS) Vulnerabilities
FYI 1.5.21 seems to be AOK.
IMHO The Joomla team do not seem to grok the concept of regression testing and
keep
re-introducing the same XSS problems over and over
InfoSec Institute resources author Alec Waters gives you step by step
instructions on how to decrypt SSL for network monitoring:
http://resources.infosecinstitute.com/ssl-decryption/
Your thoughts?
___
Full-Disclosure - We believe in it.
Rather than that, I'd say the dev team is out of sync with the security
team..
On Tue, Jun 28, 2011 at 5:59 PM, Jacqui Caren-home
jacqui.ca...@ntlworld.com wrote:
On 28/06/2011 07:25, YGN Ethical Hacker Group wrote:
Joomla! 1.6.3 and lower | Multiple Cross Site Scripting (XSS)
Hello list!
I want to warn you about Cross-Site Scripting and Brute Force
vulnerabilities in Drupal.
-
Affected products:
-
Vulnerable are Drupal 6.22 and previous versions. Taking into account that
developers didn't fixed these holes, then
My thoughts?
Before posting a URL to FD, make damn sure that it isn't vulnerable to any
type of injection attacks. Luckily for you, I simply hid everything on the
page. A malicious attacker could have done significantly worse.
Fix that, and *then* I'll read the article.
On Tue, Jun 28, 2011 at
I wasn't intentionally being vague, and I don't honestly know much about
wordpress so the feature I exploited may very well be a [popular?] module
and not something custom. In any case, the issue is with the section at the
bottom that parses the referer to determine search engine queries (that
Asterisk Project Security Advisory - AST-2011-011
++
| Product | Asterisk |
InfoSec Institute resources author Alec Waters gives you step by step
instructions on how to decrypt SSL for network monitoring:
What? .. you mean it's possible to decrypt RSA when I have access to the
private key?
/news.
If you want to IDS your SSL stuff, you put the cert on a load
Christian Sciberras wrote:
Rather than that, I'd say the dev team is out of sync with the security
team..
Assuming that that may be a reasonable one-sentence encapsulation of
how Joomla development is organized...
The fact such a sentence can be meaningfully utterred tells us there
are
On Mon, Jun 27, 2011 at 7:54 PM, Doug Huff dh...@jrbobdobbs.org wrote:
Step 1: Have blind faith in infosec capabilities of third parties..
it is not advised to mount gay oxen of any type.
this site is an abomination... use at your own risk!
(the Sony of the BTC world!)
On Tue, Jun 28, 2011 at 9:09 AM, Adam Behnke a...@infosecinstitute.com wrote:
InfoSec Institute resources author Alec Waters gives you step by step
instructions on how to decrypt SSL for network monitoring:
...
Your thoughts?
using the ssl observatory to pre-generate useful certs and a
2011/6/26 김무성 ki...@infosec.co.kr:
...
I'm looking for meterials or information, research about that how to detect
DDoS attack through HTTP response analysis(throuput).
you're asking the wrong question.
instead of asking How can I automagically detect exploitation of my
shitty app via HTTP
19 matches
Mail list logo