lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 3 Aug 2007 00:00:36 +0200
From: Hans Wolters <hans.wolters@...all.nl>
To: bugtraq@...urityfocus.com
Subject: Re: security contact for uat.edu needed


On 31-jul-2007, at 0:42, Hans Wolters wrote:

> Hi there,
>
> Anyone that knows how to contact responsible persons at uat.edu?  
> root@ and security@ do not seem to work.
>

Thanks all for your suggestions. Current state:

abuse@ does not work and is listed in rfcignorant (since April this  
year).
noc@ seems to work but does not answer
whois contact person, seems to work but does not answer

Other addresses do seem to work but do not answer either.

Currently I can only announce the following. Uat runs a site called  
hackersdegree.com. This
is a site that allows persons to toy with a javascript shell. It's  
not a dangerous bug but it allows
people to insert XSS into it.

The bigger problem is that they are also providing a link to  
liverperson.net. The people coding
the site do not check any user input and therefor allow usernames  
with xss injected to. Let me
be clear, this is not to be blamed on liveperson.net, I have found  
other instances that will talk
to the liveperson.net robots that are not having these problems.

The XSS used is not a simple <script>alert(foo.bar) thingy, it's  
slightly more complicated.

If some of you are able to contact a whitehat over there then please  
let them contact me if
they need more information, I am not wasting money calling abroad for  
something that is not a problem for me. A university tricking  
students to graduate in security should be
able to secure their own sites.

Best regards,

Hans

Powered by blists - more mailing lists