lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1282838038.20090227093820@SECURITY.NNOV.RU>
Date: Fri, 27 Feb 2009 09:38:20 +0300
From: "Vladimir '3APA3A' Dubrovin" <3APA3A@...URITY.NNOV.RU>
To: Ansgar Wiechers <bugtraq@...netcobalt.net>
Cc: bugtraq@...urityfocus.com
Subject: Re[2]: [DSECRG-09-009] APC PowerChute Network Shutdown's Web Interface - XSS vulnerability

Dear Ansgar Wiechers,

--Friday, February 27, 2009, 12:15:50 AM, you wrote to bugtraq@...urityfocus.com:

>>
>> Just wonder: how can firewall to protect against XSS/response splitting?

AW> You don't give the bad guys access to your UPS's web interface?

In  case  of  non-persistant XSS, form redirection or response splitting
it's  YOU  are  the bad guy who accesses UPS's web interface and another
bad  guy  can shutdown your UPS by forcing your browser to send required
request to UPS.

-- 
Skype: Vladimir.Dubrovin
~/ZARAZA http://securityvulns.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ