| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 23 Apr 2010 21:30:56 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <bugtraq@...urityfocus.com> Subject: Vulnerability in Referer for DataLife Engine Hello Bugtraq! I want to warn you about security vulnerability in Referer module for DataLife Engine (DLE). ----------------------------- Advisory: Vulnerability in Referer for DataLife Engine ----------------------------- URL: http://websecurity.com.ua/3942/ ----------------------------- Affected products: Referer (aka "Perehody" on Russian) v.6.9 and previous versions. ----------------------------- Timeline: 29.06.2009 - found vulnerability. 11.02.2010 - announced at my site. 13.02.2010 - informed admin of web site where I found the vulnerability. 15.02.2010 - informed developers of DataLife Engine (at first I thought that hole existed in DLE, and admin of vulnerable web site didn't answer me and didn't fix the hole, but DLE developers said that hole is not in their engine and they didn't know what the module it is). 19.02.2010 - informed developers of the module (after I found that it's Referer module). 23.04.2010 - disclosed at my site. ----------------------------- Details: This is Cross-Site Scripting vulnerability. XSS: It's persistent XSS vulnerability. Which allows to conduct the attack via Referer header, in case when immediate links to queries in search engines are showing at the site. Referer: http://www.google.com/search?q=xss"><script>alert(document.cookie)</script> Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
Powered by blists - more mailing lists