| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 27 Sep 2010 17:36:59 +0200 From: "Jan G.B." <ro0ot.w00t@...glemail.com> To: MustLive <mustlive@...security.com.ua> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Vulnerabilities in CMS MYsite 2010/9/25 MustLive <mustlive@...security.com.ua>: > Affected products: > > All versions of CMS MYsite before last one where vulnerabilities were fixed > (mostly). Sorry... what? What is last one where vulns? Mostly lesser? > > Timeline: > > 2010.06.29 - announced at my site and later informed developers of CMS. Bad boy! > Developers quickly answered that they'd look at them. Looked at whom? > 2010.09.25 - disclosed at my site. Developers didn't inform me when they > fixed the holes, but today I found that they already fixed holes (at least > at their own site). But I note, that even XSS is fixed, but not efficiently, > so at turned off mq at the site it's possible to conduct XSS attack, > particularly with using of MouseOverJacking. > Yeah! Whatever you say, man. But for the interested user without any clue one might add, that there is no such thing as "MouseoverJacking". What you described as "MouseoverJacking" is a simple XSS bug where the attacker (you) inserts .. erm... stupid or unnecessary code. See also http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2009-12/msg00500.html Regards _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists