| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri May 26 03:54:33 2006 From: batchwork at arcor.de (batchwork@...or.de) Subject: XSS Vector at www.titus.de TITUS is a large german mailorder for skateboards and extreme sports related stuff. On the TITUS Homepage you can find a damn huge community (about 20.000 registered user). Inside the community a registred member can send IMs to other users, send eMails via web interface and drop orders to the mailorder. At the community rush hour nearly 5000 users are online at the same time. Easy to figure out what will happen when an XSS worm hits the site. And thats the point. The webmailer system offers an offensive vector for XSS attacks. If you send a mail (no need to type an receiver adress) with the following content, you have successfully executed a custom (malicious) script on the page: - "><script type="text/javascript">alert(document.cookie);</script><a href=" - I've already sent a mail to the technical team at titus.de, but there wasn't an answer neither a fix. Greetings, Batchwork -- freemail adverts: Viel oder wenig? Schnell oder langsam? Unbegrenzt surfen + telefonieren ohne Zeit- und Volumenbegrenzung? DAS TOP ANGEBOT JETZT bei Arcor: g?nstig und schnell mit DSL - das All-Inclusive-Paket f?r clevere Doppel-Sparer, nur 44,85 ? inkl. DSL- und ISDN-Grundgeb?hr! http://www.arcor.de/rd/emf-dsl-2
Powered by blists - more mailing lists