| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 8 Nov 2004 16:05:49 +0000 From: Andrew Smith <stfunub@...il.com> To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com Subject: TRUSTe.org Cross-Site-Scripting Phishing oppurtunities Website: http://truste.org Background: TRUSTeĀ® is an independent, nonprofit organization dedicated to enabling individuals and organizations to establish trusting relationships based on respect for personal identity and information in the evolving networked world. Through extensive consumer and Web site research and the support and guidance of many established companies and industry experts, TRUSTe has earned a reputation as the leader in promoting privacy policy disclosure, informed user consent, and consumer education. TRUSTe's members include eBay, Apple, MSN, NYTimes and many other big, scary corporations. Description: Truste's 'ivalidate.php' is used to validate "trusted" sites. Whilst the script does add slashes to quotes and closes <script> and <style> tags, there are a number of HTML tags it does not strip, including <linK>,<div>,<iframe>. This leaves the site open to attack from phishers wanting to make their site appear "trusted". Further information can be found here: http://wheresthebeef.co.uk/XSS/ TrustE.org were informed of the vulnerability through various e-mail addresses 5 days ago, they are yet to respond or fix the problem. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists