lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri Jan 20 19:39:19 2006
From: sant.jadhav at gmail.com (MuNNa)
Subject: MBT Xss vulnerability

Hii

->Why would he be concerned?  The problem is that most sites on the
internet suffer from XSS vulenrabilities, its just that nobody cares
because there is nothing to gain from the sites.  Nothing to gain you
say?  Yes.  Let's take this site you posted about for example, I
didn't look over the entire site, but glancing I don't even see
anything which XSS would help you compromise.  The site seemingly is
all static content (minus a search, correct me if I'm wrong) with no
e-mail portal, forums, or anything else that the XSS could be
leveraged to gain access to.  Since the site offeres no direct
services (right?) what exactly could you trick people into doing here?
The session cookie seems worthless since there's no login or
anything...

I have clearly mentioned in the disclosure that this Xss is not harmful for
server side but you can target a lot of  people, using this website. If you
have completly read my disclosure mail, i have mentioned in the end that a
lot of people seeking job can be targeted. I can say this because i know the
value of this organisation from point of placements. Morever this
organisation provides security solution to other companies. From the point
of comapny's security everything is fine but from the point of its social
image......


->Which would be meaningful if:
A) this site were used by millions of people
B) there was something worth compromising the site for (like access to
webmail, personal information, etc...)
I think what I'm missing here is why this particular XSS is useful in
any way shape or form?    Am I missing something significant about
this site?  Do people trust it for something?

As explained before , it can attract a lot of job-seekers. Millions of them.
They trust this organisation. Even i do very much.

->Isn't that what you are doing?

I just posted a disclosure which i felt could be used by some bad guy to
target innocent people.If anyone felt that this disclosure is some sort of
spam and is really harmless, just discard it. Atleast i dont spam here by
bashing someone else who has posted some disclosure. This bashing attitude
reflects Lamer qualities and this discourages others from mailing
disclosures.

Hope i answered all your answers. Lets cut down the argument here.

Regards;

Santosh J
On 1/20/06, Stan Bubrouski <stan.bubrouski@...il.com> wrote:
>
> On 1/19/06, MuNNa <sant.jadhav@...il.com> wrote:
> >
> > Hahaha ... native code doesnt seem to understand the meaning of Xss and
> why
> > it can be of security concern. Here not only url re-direction is
> possible
>
> Why would he be concerned?  The problem is that most sites on the
> internet suffer from XSS vulenrabilities, its just that nobody cares
> because there is nothing to gain from the sites.  Nothing to gain you
> say?  Yes.  Let's take this site you posted about for example, I
> didn't look over the entire site, but glancing I don't even see
> anything which XSS would help you compromise.  The site seemingly is
> all static content (minus a search, correct me if I'm wrong) with no
> e-mail portal, forums, or anything else that the XSS could be
> leveraged to gain access to.  Since the site offeres no direct
> services (right?) what exactly could you trick people into doing here?
> The session cookie seems worthless since there's no login or
> anything...
>
> > but also execution of malicious javascripts is possible.Your Lame reply
>
> Which would be meaningful if:
> A) this site were used by millions of people
> B) there was something worth compromising the site for (like access to
> webmail, personal information, etc...)
>
> I think what I'm missing here is why this particular XSS is useful in
> any way shape or form?    Am I missing something significant about
> this site?  Do people trust it for something?
>
> > makes me think that you are one of the following:
> > 1.An employee of MBT criticising me in the interest of the company
> 'or'
> > 2.A poor spammer who doesnt know anything but tries to shows-off as if
> he is
> > the MASTER. If this is the case carry on with your spamming business and
> > good luck for your future.
>
> Isn't that what you are doing?
>
> -sb
>
> >
> > Regards;
> > Santosh J.
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060121/021b849e/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ