| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.64.0908190507040.20351@forced.attrition.org> Date: Wed, 19 Aug 2009 05:09:30 +0000 (UTC) From: security curmudgeon <jericho@...rition.org> To: faghani@...c.ir Cc: bugtraq@...urityfocus.com Subject: Re: Elkapax CMS Cross site scripting vulnerability : Title: Elkapax CMS Multiple Vulnerabilities : : Vendor: www.elkapax.com : Fix: N/A : Elkapax is a CMS producer in Iran. Search page in Elkapax CMS : : product are vulnerable to XSS vulnerability. : : Cross Site Scripting vulnerability in Search page in "q" parameter. : : http://example.com/?q=<script>alert(123)</script>&mode=2 : : Solution: : : Input validation of Parameter "q" should be corrected. : : Credit: : : Isfahan University of Technology - Computer Emergency Response Team : : Thanks to : N. Fathi, E. Jafari, M. R. Faghani So a University of Technology maintains a CERT team, that discloses the most basic of XSS flaws, and you cannot even figure out which script is affected? You thank three people, presumably for help in this discovery or advisory. On top of that, you disclose this without a solution other than "sanitize input" in so many words. I believe you have done worse than any of the random <script> pasting kiddies flooding the list for the last ten years. - security curmudgeon
Powered by blists - more mailing lists