lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <006d01cbfed4$18f0d7b0$0201a8c0@ml> Date: Tue, 19 Apr 2011 23:54:31 +0300 From: "MustLive" <mustlive@...security.com.ua> To: "security curmudgeon" <jericho@...rition.org> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: New vulnerabilities in eSitesBuilder Hello security curmudgeon! > How many times are you going to disclose this? Be attentive - I wrote about different holes. In June (http://seclists.org/bugtraq/2010/Jun/189) I wrote about XSS in public forget.php (for users): http://site/forget.php?e_mail=%3Cscript%3Ealert(document.cookie)%3C/script%3E&seenform=y In August (http://seclists.org/fulldisclosure/2010/Aug/306) I wrote about multiple holes in eSitesBuilder and in particularly wrote about holes in public forget.php. I wrote about Insufficient Anti-automation and mentioned for company :-) about earlier-mentioned XSS (so both holes in this script would be in one place). Also it was possible to mention about Abuse of Functionality hole in this script (to write about three holes in it in one advisory), but only later I decided to write about this hole - in hidden forget.php script - which I did in the next advisory (and people easily could understand that both forget.php scripts has AoF hole which allows to enumerate logins). In December (http://seclists.org/fulldisclosure/2010/Dec/465) I wrote about XSS in hidden (there are no public links to it) forget.php (for admins): http://site/console/forget.php?e_mail=%3Cscript%3Ealert(document.cookie)%3C/script%3E&seenform=y Plus added information about Insufficient Anti-automation and Abuse of Functionality holes in this script. So these are two different forget.php scripts. Which both have three similar holes (it's quite expected, that developers used the same code for forget password functionality for users and for admins). > The June disclosure has a timeline indicating you had "announced" it > almost two years prior to that: My dear, in that timeline I showed that first time I found these holes long time ago - at two e-commerce sites (99% of all holes I'm finding at web sites in Internet). And I informed admins of those sites (which lamerly ignored to fix the holes) and they could inform developer of this commercial CMS (but most of holes wasn't fixed at demo site of CMS developer, which showed that developer also don't care about security for a long time, regardless if he was informed by owners of these sites or not, because they ignored even after my informing). This information in timeline must show long time ignorance of security by owners of e-commerce sites (online shops) and developers of e-commerce engines. And there must not be any questions (because everything must be clear). But if there is some incomprehensibility, then I'll make it clear. Those sites didn't show what engine they were using (it's common for commercial engines and sites on such engines, online shops in particular). Only in summer 2010 I've found (when decided to do it) at one of these online shops, and then checked at another, the hidden admin panel with mentioned name of engine. As I wrote in Timeline: > 18.06.2010 - disclosed at my site about vulnerabilities in eSitesBuilder > (after I found that they concerned with eSitesBuilder). And after I found that it's eSitesBuilder, I wrote series of advisories about holes in this engine (as those holes which I found in 2007-2008, as those ones found in 2010). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ----- Original Message ----- From: "security curmudgeon" <jericho@...rition.org> To: "MustLive" <mustlive@...security.com.ua> Cc: <full-disclosure@...ts.grok.org.uk> Sent: Sunday, April 17, 2011 3:56 AM Subject: Re: [Full-disclosure] New vulnerabilities in eSitesBuilder > > : SecurityVulns ID: 11310. > > : XSS (WASC-08): > : > : > http://site/console/forget.php?e_mail=%3Cscript%3Ealert(document.cookie)%3C/script%3E&seenform=y > > How many times are you going to disclose this? > > http://seclists.org/bugtraq/2010/Jun/189 > > http://seclists.org/fulldisclosure/2010/Aug/306 > > http://seclists.org/fulldisclosure/2010/Dec/465 > > The June disclosure has a timeline indicating you had "announced" it > almost two years prior to that: > > 21.11.2007 - found some of these vulnerabilities. > 11.08.2008 - announced at my site. > 11.08.2008 - informed admins of web site. > 11.08.2008 - found others of these vulnerabilities. > 11.02.2009 - disclosed at my site about first vulnerabilities. > 05.05.2009 - disclosed at my site about other vulnerabilities. > 06.05.2009 - informed admins of web site about other vulnerabilities. > 18.06.2010 - disclosed at my site about vulnerabilities in eSitesBuilder > (after I found that they concerned with eSitesBuilder). > 19.06.2010 - informed developers (in case if owners of vulnerable site > didn't informed them in previous years). > > Seriously, how long can you milk a single XSS here? > > : 2010.10.08 - announced at my site. > : 2010.10.08 - informed developers. > : 2010.12.16 - disclosed at my site. > : > : I mentioned about these vulnerabilities at my site > : (http://websecurity.com.ua/4588/). > > http://websecurity.com.ua/4300/ > > Several times, yes you did. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists