| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1167117443.2619.30.camel@codeworld>
Date: Tue, 26 Dec 2006 15:17:23 +0800
From: Deepan <codeshepherd@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: xss problems
Hi All,
The following sites have XSS problems
1) http://chennaionline.com/search/ ( the first search box )
The user input for search is later displayed in the result page. No
filtering is done to remove Java Scripts in the query.
2) http://www.sdbj.com/forgot.asp
user is a valid field in the table where email is stored.
3) http://www.visionoss.com/login/forgotpassword/
userEmail is a valid field in the table where email is stored.
I had reported my findings. I am just trying to learn the basics of XSS.
I have few doubts. The site
http://www.xdisclose.com/tools/yahoocookiepoc.html is capable of
decrypting yahoo cookies. I fail to understand how they decrypt the user
name, dob and country details from cookie.
The relavent cookie contents are
Y=v=1&n=3nkia0lkek00v
l=h4fb820j4c08b/o
p=m2kvvin013000000
jb=16|47|
iz=600042
r=ak
lg=us
intl=us
np=1
l stands for username,
p stands for country, year of birth, gender
Can someone tell me how xdisclose.com tools decrypt username, country,
year of birth and other details.
--
-----------------------------------------------
Regards
Deepan Chakravarthy N
http://www.codeshepherd.com/
http://sudoku-solver.net/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists