lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0312181727460.2578-100000@www.saintcorporation.com>
Date: Thu, 18 Dec 2003 18:13:06 -0500 (EST)
From: bugtraq@...ntcorporation.com
To: bugtraq@...urityfocus.com
Subject: Re: Cross-site scripting vulnerability in SARA v<=4.2.7



On Thu, 18 Dec 2003, toddr arc com wrote:

> 1.  CSS: Tom indicates that SATAN and older versions of SAINT are not
>     vulnerable to CSS.  Tom is incorrect as all used the SATAN engine
>     which did not tranlate "<" and ">" to their html codes "&lt;" and 
>     "&gt;  I suspect that SAINT has fixed it, SARA has, but SATAN has
>     not.

I disagree. Tom's original posting seems correct. Although
SARA, SAINT, and SATAN all use an http engine derived from
the same code, this specific vulnerability arises from
code introduced in SARA which was not part
of SATAN or SAINT (from sara_run_action.pl):

$debug="ON" if  ! $daemon;
$debug=""   if  $daemon;
select CLIENT;

This block of code enables debugging whenever a scan runs
in non-daemon (standalone) mode and redirects the
debugging output to the browser, which, prior to 5.0.0,
could include service banners containing script tags.

And, in any case, worthwhile security ideas should
not be discouraged. If every vulnerability posting
were considered a "complaint" by the respective
vendor, this list would become a very unfriendly
environment for sharing security concerns.

--
Sam Kline
Chief Development Engineer
SAINT Corporation



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ