lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 02 Sep 2013 19:25:28 +0200
From: klondike <>
Subject: Permanent XSS and user enumeration on

It's possible to do a permanent XSS injection on the

For this when you register in the website through you
need to put your code in the name field taking into account that it will
be converted into caps when reflected. Once done the code can be found
at and at as long as the user is logged in.

This vulnerability could be used for example with fishing attacks to
steal user data amongst other things by making the user login with the
given data and then asking him to enter an appropriate address.

To make things more interesting, the and the
can be used by spammers to check whether a particular e-mail is
registered or not on the website since they will report back that

The first one can be used without side effects by entering a single
character password resulting either in an error regarding password
length or in a notice that the e-mail was already registered.

The second one can be used just by entering the e-mail and checking the
resulting message, but will have as a side effect that an e-mail will be
sent back to the registered users asking them to reset their password.

I hope this information is useful,

Download attachment "signature.asc" of type "application/pgp-signature" (264 bytes)

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists