lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue Apr 18 18:10:07 2006
From: n3td3v at gmail.com (n3td3v)
Subject: Can everyone stop posting fake Yahoo XSS vulns?

I complained to Securityfocus for letting
http://www.securityfocus.com/archive/1/431039 this one through. The
"done=" thing is on purpose and is there by design, there is no threat
per say, and it won't be fixed, because theres nothing to fix. Folks
complained about something similar years ago with the rd.yahoo.com
thing, which had more substance to it than the recent "done=" thing.
If done= was a real potential threat it would have been sorted years
ago. Every hacker on the planet, including Yahoo security team know
you can add -any- address onto there, it is not xss
Please read what XSS is before you post.

You can claim a phishing vector with your fake vuln, but you can't
claim cross-site scripting.

Title your "Advisories" in the correct way, its misleading to cry
"XSS" at every phishing vector, which doesn't infact involve XSS in
its true meaning.

Thanks, n3td3v

And i'm posting this here, because Securityfocus didn't believe in
freedom of speech when I sent a similar message in reply of the
Securityfocus thread.

Just don't cry wolf too many times with XSS...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ