lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 13 Nov 2007 23:51:58 -0700
From: dave-san <dave@...verted.org>
To: XSS Worm XSS Security Information Portal
	<cross-site-scripting-security@...worm.com>
Cc: full-disclosure@...ts.grok.org.uk, websecurity@...appsec.org
Subject: *****SPAM***** [WEB SECURITY] Re: Wordpress 2.3
 Cross Domain Content Insertion- New	vulnerability + exploit - xssworm.com

Spam detection software, running on the system "moonshine.electriccat.int", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  Comments inline.. XSS Worm XSS Security Information Portal
   wrote: > *0day XSS Exploit for Wordpress 2.3* – wp-slimstat 0.92 – [xssworm.com]
   > > Source: > http://xssworm.blogvis.com/13/xssworm/0day-inject-exploit-for-wordpress-23-xsswormcom-all-version-vulnerable-with-no-patch/
   > > There is a serious holes in wordpress 2.3 that can be used with XSS by
   a > blackhat hacker to attack the wordpress administrator and steal cookies
   from > blogmins. This attack is known as 0day because it has just been reported
   to > public and this is first day of public vulnerability, and *0day means
   > 'published.*' > Proof of concept: > > http://wordpress-web-blog.com/wp-admin/index.php?page=wp-slimstat/wp-slimstat.php?panel=1&fi=/feed/&ff=1&ft=<xss
   > shellcode> > [...] 

Content analysis details:   (7.1 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 3.3 TVD_RCVD_IP4           TVD_RCVD_IP4
 1.6 TVD_RCVD_IP            TVD_RCVD_IP
 2.1 DNS_FROM_RFC_BOGUSMX   RBL: Envelope sender in bogusmx.rfc-ignorant.org



Content of type "message/rfc822" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ