| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 21 Jun 2014 07:46:08 +0200 From: Adrien Jolibert <jolibert@...il.com> To: Roberto Garcia Amoriz <roberto.garcia@...aramo.com> Cc: fulldisclosure@...lists.org Subject: Re: [FD] XSS on Panasonic site Hello Roberto Garcia Amoriz, Would you tell where resides the "XSS vulnerability". Need more informations. I understand you can trigger stuff such as exploit kits -i.e. using browser vulns-, steal cookies, or play with browser JavaScript and HTML DOM. Plus are you sure/checking cookies flags on these sites are not set to HttpOnly/secure ? (clear your browser cache, make a new session, and look). But when it is not a general public website with ++billions++ of users, how would you trigger these reflected ones ? The only practical case I see was that one, 2 years ago (?), against Youtube and a stored (! not reflective) XSS. That one was on comments. From mind on every posts combined with the 0-day Microsoft help center, you got SYSTEM (the gold account) access to any computers using M$ from youtube. For god sake and mind, none made that one viral or had the idea, youtube got it really close to get shut down, but still there. That was making sense for a huge bot-net, plus thus reporting an XSS vulnerability make it. For your reporting, Spam ? The action of triggering is still the same you need an user interaction clicking a link. Viral ones ? You need an HTML post/get interaction, that is not the case of yours, have you tried to trigger them ? Get deeper dude, try harder ( :-) ). I got more and more doubts about these vulnerabilities, you can be tricked on these websites but now it is like clicking on "viagra link" or "free lesbian videos" coming onto our in-box. I see more tricking ones using web services, some sending mails; that may be a factor. Audits are just made from XSS/SQLi or other injections, just with nessus scans or others, but none tries the business logic (like mad and poor designed services). That is mad, but It is always what I am looking first With modern frameworks, failures resides on inner logic. Have you tried using POST actions to see if you can get them and make them viral ? This is just a question, because I see a lot of +simples+ XSS coming from you on this list, I appreciate your contributions, you did good, don't look for a blame. I am not blaming, and I am not the one who can. I appreciate what you make, not like the others. Just get deeper. But it is becoming useless among real exploits that may help the monks here using IDS and thinking they make good reading signatures (! 1337 idiots). To these fools, I say, good luck being paid forever, Roberto Garcia know much more as yours. On Fri, Jun 20, 2014 at 3:04 PM, Roberto Garcia Amoriz < roberto.garcia@...aramo.com> wrote: > - XSS on > Panasonic site- > > > **************************************************************************** > *************************************** > Advisory: security.panasonic.com – Cross-Site Script Vulnerability (XSS) > Advisory ID: 969061 > Author: Roberto Garcia (@1gbDeInfo) > Affected Software: Successfully tested on security.panasonic.com Vendor > URL: http://security.panasonic.com > Vendor Status: reported 2 times but not solved > > **************************************************************************** > *************************************** > > > ************************** > Vulnerability Description > ************************** > > The website " security.panasonic.com " is prone to a XSS vulnerability. > > This vulnerability involves the ability to inject arbitrary and > unauthorized > javascript code. A malicious script inserted into a page in this manner can > hijack the user’s session, submit unauthorized transactions as the user, > steal confidential information, or simply deface the page. > > > ************************** > PoC-Exploit > ************************** > > > > http://vftr.panasonic.co.jp/en/search.x?q=data%3Atext%2Fhtml%2C%3Cscript%3Ea > lert%280%29%3C%2Fscript%3E&x=0&y=0&ie=ISO-8859-1 > > > > http://vftr.panasonic.co.jp/en/search.x?q=data%3Atext%2Fhtml%2C%3Cscript%3Ea > lert%28document.cookie%29%3C%2Fscript%3E&x=0&y=0&ie=utf8 > > > ************************** > Solution > ************************** > > Reported 2 times but not solved > > ************************** > Disclosure Timeline > ************************** > > - Report vuln Jun 4, 2014 via email to samuel.garcia@....eu.panasonic.com > > - Reported again via web Jun 12, 2014. They answer me: > > Dear Mr. Garcia, > Thank you for your prompt e-mail reply. > egarding your enquiry, I am writing to confirm having forwarded > your > message to the corresponding department. > > Kind Regards, > Teo > Customer Service Team > Panasonic UK > > ************************** > Afected sites: > > - vftr.panasonic.co.jp > - security.panasonic.com > - panasonic.ney > > ************************** > > > ************************** > Credits > ************************** > > > ---------------------------------------------------------------------------- > -------------- > Vulnerability found and advisory written by Roberto Garcia (@1gbDeInfo) > > ---------------------------------------------------------------------------- > -------------- > > Best regards. > > Roberto Garcia Amoriz > > Linkedin: es.linkedin.com/in/rogaramo/ > Web: http://www.1gbdeinformacion.com > Twitter: @1gbdeinfo > > > > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists