lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20031219142653.14348.qmail@web60207.mail.yahoo.com>
From: anthrax101 at yahoo.com (Aaron Horst)
Subject: Re: Openware.org IE Fix - Warning

Not only does it have memory leaks and buffer
overflows, it contains an XSS flaw.

<a
href="http://www.openwares.org/cgi-bin/exploit.cgi?www.example.com</a><script>alert(unescape("This%20is%20cross%20site%20scripted!"))</script>">http://www.openwares.org/cgi-bin/exploit.cgi?www.example.com</a><script>alert(unescape("This%20is%20cross%20site%20scripted!"))</script></a>

Honestly, how can anyone who issues a security patch
have such enormous gaping holes in it. I think even
Microsoft could do better then this one. This takes a
relatively minor bug, and turns it into a wide open
security failure.

Their site does use cookies to track a session ID,
which could lead to a compromise of user accounts when
combined with a javascript XSS.

admin@...nwares.org notified.

Aaron Horst


=====
"A bug. Every system has a bug. The more complex the system, the more bugs. Transactions circling the earth, passing through the computer systems of tens or hundreds of corporate entities, thousands of network switches, millions of lines of code, trillions of integrated— circuit logic gates. Somewhere there is a fault. Sometime the fault will be activated. Now or next year, sooner or later, by design, by hack, or by onslaught of complexity. It doesn’t matter. One day someone will install ten new lines of assembler code, and it will all come down. " -- Ellen Ullman

__________________________________
Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing.
http://photos.yahoo.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ