lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 4 Jan 2007 19:59:01 -0000
From: b2wang@...oo.com
To: bugtraq@...urityfocus.com
Subject: Re: Sun java System Messenger Express XSS

Interesting but yet I don't any possiblity of an attack.

URL like

http://host/?user=xdfa&error=%3Cscript%3Ealert('hakin9')%3C/script%3E

is generated when user login failed and JES webmail server issued an HTTP redirect

The webmail server itself will not issue URL like that unless the proxy server which the browser connects to get hacked.  But if a proxy server gets hacked, that is the end of game.  Your BofA account, stock accounts are all compromised, which has nothing to do with JES messaging server itself.

Secondly, one can look closer to what harm that URL can do.  Nothing.  That URL points to a LOGIN page where users have NOT logged in.  With no credential/cookie/session, a static login page cannot lead to any attack.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ