lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <006d01cbfed4$18f0d7b0$0201a8c0@ml>
Date: Tue, 19 Apr 2011 23:54:31 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: "security curmudgeon" <jericho@...rition.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: New vulnerabilities in eSitesBuilder

Hello security curmudgeon!

> How many times are you going to disclose this?

Be attentive - I wrote about different holes.

In June (http://seclists.org/bugtraq/2010/Jun/189) I wrote about XSS in
public forget.php (for users):

http://site/forget.php?e_mail=%3Cscript%3Ealert(document.cookie)%3C/script%3E&seenform=y

In August (http://seclists.org/fulldisclosure/2010/Aug/306) I wrote about
multiple holes in eSitesBuilder and in particularly wrote about holes in
public forget.php. I wrote about Insufficient Anti-automation and mentioned
for company :-) about earlier-mentioned XSS (so both holes in this script
would be in one place). Also it was possible to mention about Abuse of
Functionality hole in this script (to write about three holes in it in one
advisory), but only later I decided to write about this hole - in hidden
forget.php script - which I did in the next advisory (and people easily
could understand that both forget.php scripts has AoF hole which allows to
enumerate logins).

In December (http://seclists.org/fulldisclosure/2010/Dec/465) I wrote about
XSS in hidden (there are no public links to it) forget.php (for admins):

http://site/console/forget.php?e_mail=%3Cscript%3Ealert(document.cookie)%3C/script%3E&seenform=y

Plus added information about Insufficient Anti-automation and Abuse of
Functionality holes in this script. So these are two different forget.php
scripts. Which both have three similar holes (it's quite expected, that
developers used the same code for forget password functionality for users
and for admins).

> The June disclosure has a timeline indicating you had "announced" it
> almost two years prior to that:

My dear, in that timeline I showed that first time I found these holes long
time ago - at two e-commerce sites (99% of all holes I'm finding at web
sites in Internet). And I informed admins of those sites (which lamerly
ignored to fix the holes) and they could inform developer of this commercial
CMS (but most of holes wasn't fixed at demo site of CMS developer, which
showed that developer also don't care about security for a long time,
regardless if he was informed by owners of these sites or not, because they
ignored even after my informing).

This information in timeline must show long time ignorance of security by
owners of e-commerce sites (online shops) and developers of e-commerce
engines. And there must not be any questions (because everything must be
clear). But if there is some incomprehensibility, then I'll make it clear.

Those sites didn't show what engine they were using (it's common for
commercial engines and sites on such engines, online shops in particular).
Only in summer 2010 I've found (when decided to do it) at one of these
online shops, and then checked at another, the hidden admin panel with 
mentioned name of engine. As I wrote in Timeline:

> 18.06.2010 - disclosed at my site about vulnerabilities in eSitesBuilder
> (after I found that they concerned with eSitesBuilder).

And after I found that it's eSitesBuilder, I wrote series of advisories
about holes in this engine (as those holes which I found in 2007-2008, as
those ones found in 2010).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: "security curmudgeon" <jericho@...rition.org>
To: "MustLive" <mustlive@...security.com.ua>
Cc: <full-disclosure@...ts.grok.org.uk>
Sent: Sunday, April 17, 2011 3:56 AM
Subject: Re: [Full-disclosure] New vulnerabilities in eSitesBuilder


>
> : SecurityVulns ID: 11310.
>
> : XSS (WASC-08):
> :
> :
> http://site/console/forget.php?e_mail=%3Cscript%3Ealert(document.cookie)%3C/script%3E&seenform=y
>
> How many times are you going to disclose this?
>
> http://seclists.org/bugtraq/2010/Jun/189
>
> http://seclists.org/fulldisclosure/2010/Aug/306
>
> http://seclists.org/fulldisclosure/2010/Dec/465
>
> The June disclosure has a timeline indicating you had "announced" it
> almost two years prior to that:
>
> 21.11.2007 - found some of these vulnerabilities.
> 11.08.2008 - announced at my site.
> 11.08.2008 - informed admins of web site.
> 11.08.2008 - found others of these vulnerabilities.
> 11.02.2009 - disclosed at my site about first vulnerabilities.
> 05.05.2009 - disclosed at my site about other vulnerabilities.
> 06.05.2009 - informed admins of web site about other vulnerabilities.
> 18.06.2010 - disclosed at my site about vulnerabilities in eSitesBuilder
> (after I found that they concerned with eSitesBuilder).
> 19.06.2010 - informed developers (in case if owners of vulnerable site
> didn't informed them in previous years).
>
> Seriously, how long can you milk a single XSS here?
>
> : 2010.10.08 - announced at my site.
> : 2010.10.08 - informed developers.
> : 2010.12.16 - disclosed at my site.
> :
> : I mentioned about these vulnerabilities at my site
> : (http://websecurity.com.ua/4588/).
>
> http://websecurity.com.ua/4300/
>
> Several times, yes you did.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ