| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 28 Sep 2010 18:58:05 -0500 (CDT) From: security curmudgeon <jericho@...rition.org> To: advisory@...ridge.ch Cc: bugtraq@...urityfocus.com Subject: Re: XSS vulnerability in Auto CMS : Vulnerability ID: HTB22564 : Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_auto_cms.html : Product: Auto CMS : Vendor: Roberto Aleman ( http://ventics.com/autocms/ ) : Vulnerable Version: 1.6 and Probably Prior Versions : Vulnerability Type: XSS (Cross Site Scripting) As an FYI, you apparently missed the arbitrary PHP code execution in this product. Checking Secunia, it appears that Eskarina Smith found a considerably more serious issue in index.php: http://secunia.com/advisories/41147/ Figured I would share this since it doesn't appear this was disclosed on Bugtraq. I'd also point out that this really makes people question your auditing and ethical hacking ability. If you find XSS and pedestrian SQLi, but miss code execution, it doesn't bode well for your customers. : Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
Powered by blists - more mailing lists