| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 3 Aug 2007 00:00:36 +0200 From: Hans Wolters <hans.wolters@...all.nl> To: bugtraq@...urityfocus.com Subject: Re: security contact for uat.edu needed On 31-jul-2007, at 0:42, Hans Wolters wrote: > Hi there, > > Anyone that knows how to contact responsible persons at uat.edu? > root@ and security@ do not seem to work. > Thanks all for your suggestions. Current state: abuse@ does not work and is listed in rfcignorant (since April this year). noc@ seems to work but does not answer whois contact person, seems to work but does not answer Other addresses do seem to work but do not answer either. Currently I can only announce the following. Uat runs a site called hackersdegree.com. This is a site that allows persons to toy with a javascript shell. It's not a dangerous bug but it allows people to insert XSS into it. The bigger problem is that they are also providing a link to liverperson.net. The people coding the site do not check any user input and therefor allow usernames with xss injected to. Let me be clear, this is not to be blamed on liveperson.net, I have found other instances that will talk to the liveperson.net robots that are not having these problems. The XSS used is not a simple <script>alert(foo.bar) thingy, it's slightly more complicated. If some of you are able to contact a whitehat over there then please let them contact me if they need more information, I am not wasting money calling abroad for something that is not a problem for me. A university tricking students to graduate in security should be able to secure their own sites. Best regards, Hans
Powered by blists - more mailing lists