| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 12 Jan 2013 12:07:52 +0100 From: osaft <osaft@...abit.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: http://www.heise.de - Cross-site Scripting vulnerability On Thu, 10 Jan 2013 19:47:25 +0100 Stefan Schurtz <sschurtz@...nline.de> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Advisory: heise.de - Cross-site Scripting vulnerability > Advisory ID: SSCHADV2013-002 > Author: Stefan Schurtz > Affected Software: Successfully tested on heise.de > Vendor URL: http://www.heise.de > Vendor Status: fixed > > ========================== > Vulnerability Description > ========================== > > http://www.heise.de is prone to a XSS vulnerability > > ========================== > PoC-Exploit > ========================== > > http://www.heise.de/foto/galerie/suche/photo/?suchwort=" > onMouseMove=alert(document.cookie) ' > > ========================== > Solution > ========================== > > fixed > > ========================== > Disclosure Timeline > ========================== > > 03-Jan-2013 - informed heise Security > 04-Jan-2012 - fixed by developer > > ========================== > Credits > ========================== > > Vulnerability found and advisory written by Stefan Schurtz. > Now thats valeable information. Thank god that you informed about this groundbreaking issue, Stefan. I will update my personal heise.de right away. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists