| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAH8yC8=rQWEwnmVZqd573uL_ojOjW0AyTaaNMaSa5i=+rihP2A@mail.gmail.com> Date: Thu, 11 Apr 2013 20:12:02 -0400 From: Jeffrey Walton <noloader@...il.com> To: Swair Mehta <swairmehta@...il.com> Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk> Subject: Re: Allegro.pl XSS [0-day] On Thu, Apr 11, 2013 at 2:33 PM, Swair Mehta <swairmehta@...il.com> wrote: > Well try the "search" on plantronics website.http://www.plantronics.com/us/ > > No body notified, I couldnt see the contact us link > On the first page. Stay away from the web based stuff since their could be an obscene EULA festering there. You have well known mailboxes from RFC 2142 (as Henri pointed out) and the WHOIS database information which will provide technical and administrative contacts. Jeff > On 11-Apr-2013, at 9:28 AM, Kacper Szczesniak <kacper@....pl> wrote: > > Hi All! > > I was looking for a 19" rack mount today and found this XSS instead: > http://allegro.pl/listing/listing.php?string=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E > > it turns out to be a custom data-headline attribute that is not properly > escaped > > tested on Firefox 20, Chrome and others need an xss filter bypass _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists