lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <33713abc041108080533247b53@mail.gmail.com>
From: stfunub at gmail.com (Andrew Smith)
Subject: TRUSTe.org Cross-Site-Scripting Phishing oppurtunities

Website: http://truste.org
Background: 
TRUSTe? is an independent, nonprofit organization dedicated to
enabling individuals and organizations to establish trusting
relationships based on respect for personal identity and information
in the evolving networked world.
Through extensive consumer and Web site research and the support and
guidance of many established companies and industry experts, TRUSTe
has earned a reputation as the leader in promoting privacy policy
disclosure, informed user consent, and consumer education.
TRUSTe's members include eBay, Apple, MSN, NYTimes and many other big,
scary corporations.

Description: Truste's 'ivalidate.php' is used to validate "trusted"
sites. Whilst the script does add slashes to quotes and closes
<script> and <style> tags, there are a number of HTML tags it does not
strip, including <linK>,<div>,<iframe>.
This leaves the site open to attack from phishers wanting to make
their site appear "trusted".

Further information can be found here: http://wheresthebeef.co.uk/XSS/

TrustE.org were informed of the vulnerability through various e-mail
addresses 5 days ago, they are yet to respond or fix the problem.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ