lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20070212043809.1503.qmail@securityfocus.com>
Date: 12 Feb 2007 04:38:09 -0000
From: claxus@...il.com
To: bugtraq@...urityfocus.com
Subject: Radical Technologies - Portal Search- multiple XSS issue

Site : Raditech.es
Product : Portal Search (May be others)

Portal Search is a product that can help to search in one or multiple Web sites. http://www.raditech.es/esp/servicios/portal-search.shtml

This product can SEARCH and INDEX the contents of a entire web site,additionally this product doesn't validate user input. So these types of attacks are possible.

-URL redirection (So Phising attacks can be easy)
-Cross Site Scripting
-Business Logic can be revealed trough Searching some type of characters 
-Some Others

-URL redirection 
http://target/?http://www.hackersite.com
and the hacker site is displayed in the main FRAME of www.somesite.com

-Cross Site Scripting
http://target/buscador/buscador.htm?%3CIFRAME%20SRC=%22javascript:alert('XSS');%22%3E%3C/IFRAME%3E
The result of this URL is that all the records are displayed.

-Business Logic can be revealed trough Searching some type of characters.
http://target/buscador/buscador.htm?

Thanks and sorry by my English

Regards

Pedro Alexander Garcia
claxus@...il.com
Colombia 2007

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ