lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200309160335.h8G3Zhiu091310@mailserver3.hushmail.com>
From: xss_slut at hushmail.com (xss_slut@...hmail.com)
Subject: Global *.net XSS, thank you Verisign(TM)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Quite recently, Verisign took over the internet. What parts, you might

ask?

Well, the parts in nomad land.

Do a dig on _anything_you_like.net, and you'll find an IP. Point a
browser at http://junkurlblahblah.net, and you'll find yourself at
sitefinder.verisign.com

This by it's self doesn't create a vulnerability, however, when combined

with a XSS bug, this works in IE:

http://";alert('slut');".net

This wildcard DNS on the .net TLD will wreck havoc on mail
servers, and a few other utilities that don't cleanly validate DNS names.


Other less exciting versions of this XSS:

http://sitefinder.verisign.com/lpc?url=meow'><script>alert(document.cookie)</script><'


There is some other really funky stuff going on with JS on the sitefinder

site - - take a peek at the source under the portal pages.

Finally, Verisign, you are now the number 1 domain squatter. Eat a big

bowl of dicks.

- -xss_slut

This post has been brought by the letter S and the number 4

Greets to your grandmother.
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAj9mhQUACgkQmrMv95saTV/9TwCgl3TO4LArZLqLc0l8eMfyVMSulfoA
oKQm79sqnuF7sCtViw/BHcDHG82R
=rVGU
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ