| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: webmaster at q-cat.com (Nick Price) Subject: Xanga Cross Site Scripting Vunerability - GNAA Security Center Vendor: Xanga URL: http://www.xanga.com/ Versions: Current Remote: Yes Vendor notified: 04 Nov 2004 at 16:48 Vendor response: NONE Summary: ~~~~~~~ Xanga is a fully featured blogging system, it provides great control over look & feel of a users blog by allowing HTML with only basic checks. Xanga has well over 2.5 million users and millions of page views every hour. A security vulnerability in sitemessage.aspx allows malicious users to cause a legitimate-looking page to execute external code or display malicious content. Examples Code: ~~~~~~~~~~~~~~~~~~~~~~~~ http://www.xanga.com/sitemessage.aspx?user=%3Cimg%20src=%22http://www.gnaa.us/images/gnaa.png%22%3E Impact: ~~~~~ External code can be run from security domain of Xanga.com, possibility of posting malicious content such as fake login forms or malicious scripts. Vendor: ~~~~~ Vendor was informed months ago but we have recieved no reply. Credits: ~~~~~ The GNAA Security Team: http://www.gnaa.us/ -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.298 / Virus Database: 265.6.7 - Release Date: 12/30/2004
Powered by blists - more mailing lists