Full Disclosure mailing list archives
Re: MBT Xss vulnerability
From: Stan Bubrouski <stan.bubrouski () gmail com>
Date: Fri, 20 Jan 2006 16:47:01 -0500
On 1/20/06, MuNNa <sant.jadhav () gmail com> wrote:
Hii ->Why would he be concerned? The problem is that most sites on the internet suffer from XSS vulenrabilities, its just that nobody cares because there is nothing to gain from the sites. Nothing to gain you say? Yes. Let's take this site you posted about for example, I didn't look over the entire site, but glancing I don't even see anything which XSS would help you compromise. The site seemingly is all static content (minus a search, correct me if I'm wrong) with no e-mail portal, forums, or anything else that the XSS could be leveraged to gain access to. Since the site offeres no direct services (right?) what exactly could you trick people into doing here? The session cookie seems worthless since there's no login or anything... I have clearly mentioned in the disclosure that this Xss is not harmful for server side but you can target a lot of people, using this website. If you have completly read my disclosure mail, i have mentioned in the end that a lot of people seeking job can be targeted. I can say this because i know the value of this organisation from point of placements. Morever this organisation provides security solution to other companies. From the point of comapny's security everything is fine but from the point of its social image......
Okay.
->Which would be meaningful if: A) this site were used by millions of people B) there was something worth compromising the site for (like access to webmail, personal information, etc...) I think what I'm missing here is why this particular XSS is useful in any way shape or form? Am I missing something significant about this site? Do people trust it for something? As explained before , it can attract a lot of job-seekers. Millions of them. They trust this organisation. Even i do very much.
Okay see that's why I asked since this site is used by millions of people that actually answers my question. Thank you.
->Isn't that what you are doing? I just posted a disclosure which i felt could be used by some bad guy to target innocent people.If anyone felt that this disclosure is some sort of spam and is really harmless, just discard it. Atleast i dont spam here by bashing someone else who has posted some disclosure. This bashing attitude reflects Lamer qualities and this discourages others from mailing disclosures.
Yeah I actually felt bad after I wrote that line, I jsut didn't understand how his repsonse contributed to spam and yours didn't, know what I mean?
Hope i answered all your answers. Lets cut down the argument here.
You did, and thouroughly! I thank you!
Regards; Santosh J
You da man, Stan
On 1/20/06, Stan Bubrouski <stan.bubrouski () gmail com> wrote:On 1/19/06, MuNNa <sant.jadhav () gmail com> wrote:Hahaha ... native code doesnt seem to understand the meaning of Xss andwhyit can be of security concern. Here not only url re-direction ispossibleWhy would he be concerned? The problem is that most sites on the internet suffer from XSS vulenrabilities, its just that nobody cares because there is nothing to gain from the sites. Nothing to gain you say? Yes. Let's take this site you posted about for example, I didn't look over the entire site, but glancing I don't even see anything which XSS would help you compromise. The site seemingly is all static content (minus a search, correct me if I'm wrong) with no e-mail portal, forums, or anything else that the XSS could be leveraged to gain access to. Since the site offeres no direct services (right?) what exactly could you trick people into doing here? The session cookie seems worthless since there's no login or anything...but also execution of malicious javascripts is possible.Your Lame replyWhich would be meaningful if: A) this site were used by millions of people B) there was something worth compromising the site for (like access to webmail, personal information, etc...) I think what I'm missing here is why this particular XSS is useful in any way shape or form? Am I missing something significant about this site? Do people trust it for something?makes me think that you are one of the following: 1.An employee of MBT criticising me in the interest of the company'or'2.A poor spammer who doesnt know anything but tries to shows-off as ifhe isthe MASTER. If this is the case carry on with your spamming business and good luck for your future.Isn't that what you are doing? -sbRegards; Santosh J.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- MBT Xss vulnerability MuNNa (Jan 19)
- Re: MBT Xss vulnerability Native.Code (Jan 19)
- Re: MBT Xss vulnerability greybrimstone (Jan 19)
- Re: MBT Xss vulnerability MuNNa (Jan 20)
- Re: MBT Xss vulnerability Stan Bubrouski (Jan 20)
- Re: MBT Xss vulnerability MuNNa (Jan 20)
- Re: MBT Xss vulnerability Morning Wood (Jan 20)
- Re: MBT Xss vulnerability Stan Bubrouski (Jan 20)
- Re: MBT Xss vulnerability Stan Bubrouski (Jan 20)
- Re: MBT Xss vulnerability MuNNa (Jan 21)
- Re: MBT Xss vulnerability Native.Code (Jan 22)
- Re: MBT Xss vulnerability greybrimstone (Jan 19)
- Re: MBT Xss vulnerability Native.Code (Jan 19)
- Re: MBT Xss vulnerability Stan Bubrouski (Jan 20)
- Re: MBT Xss vulnerability Stan Bubrouski (Jan 20)