| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri Jan 20 08:18:29 2006 From: sant.jadhav at gmail.com (MuNNa) Subject: MBT Xss vulnerability *Hahaha* ... native code doesnt seem to understand the meaning of Xss and why it can be of security concern. Here not only url re-direction is possible but also execution of malicious javascripts is possible.Your Lame reply makes me think that you are one of the following: 1.An employee of MBT criticising me in the interest of the company *'or'* 2.A poor spammer who doesnt know anything but tries to shows-off as if he is the MASTER. If this is the case carry on with your spamming business and good luck for your future. Regards; Santosh J. On 1/20/06, greybrimstone@....com <greybrimstone@....com> wrote: > > Actually, > Whats lame is you basing someone for telling others about a > security vulnerability. Keep posting! > > -Adriel > > -----Original Message----- > From: Native.Code <native.code@...il.com> > To: MuNNa <sant.jadhav@...il.com> > Cc: full-disclosure@...ts.grok.org.uk > Sent: Thu, 19 Jan 2006 21:52:54 +0800 > Subject: Re: [Full-disclosure] MBT Xss vulnerability > > What a lame vulnerability it is. If your POC redirects to another > site (which is not MBT site), how someone will become victim and > believe that he/she is doing business with MBT? > > Your post is yet another proof that FD is more and more inhibited by > scipt kiddies. Get a life! > > > On 1/19/06, MuNNa <sant.jadhav@...il.com> wrote: > Hii List; > > Recently, i found an Xss vulnerabilty in MBT web site. MBT offers > services from Consulting to Managed Services.It is the Corporate member > of The International Systems Security Engineering Association (ISSEA). > BS 7799 (Information Security Management Framework) certified > organization > > Vulnerability: > MBT XSS (Cross Site Scripting) Attacks > > Criticality: > Medium > > Description: > MBT ( http://www.mahindrabt.com/website/index.htm ) is a leading > India-based global IT solutions provider. As a proven leader in > application outsourcing and offshoring of business critical > applications, MBT enables its clients, protect their investment in > legacy systems, enhance capital budgets, reduce operating expenses and > build solutions for the multi-services future. However it suffers Xss > vulnerability on its own web page. > > Below is the proof-of-concept which explains this - > > http://www.mahindrabt.com/jse/jsp/search.jsp?q=[Xss malcode here] > > Re-directing the site to any malicious or fake site to trap the victim : > > http://www.mahindrabt.com/jse/jsp/search.jsp?q= > <script>document.location='http://www.[evil.site].com'</script> > > > Though it does not affect sever side alot and may seem harmless, but it > can be used to target college students or job-seekers as it is one of > the most attracting employer. Targets can be lured to visit the > malicious weblink under the pretext of some job positions being vacant. > Vendor notification: > > > Vendor has been notified twice, around 4 months ago but still there is > no response and I guess neither they are going to respond. > > > Regards; > Santosh J. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > ________________________________________________________________________ > Check Out the new free AIM(R) Mail -- 2 GB of storage and > industry-leading spam and email virus protection. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060120/82c230fd/attachment.html
Powered by blists - more mailing lists