Re: XSS Vulnerabilities at Sun, IBM, Verisign, AOL,

[bugtraq () cgisecurity net]

Instead of emailing every single site you find an XSS in, can you just send a weekly summary instead so as not to fill
up our mailboxes to the point of not caring about what you found?

-z
http://www.cgisecurity.com/ Website Security news, and More
http://www.cgisecurity.com/index.rss [RSS Feed]


> This is a multi-part message in MIME format.
>
> --===============0237947780==
> Content-Type: multipart/alternative;
>       boundary="----=_NextPart_000_0156_01C6BFF2.0562F500"
>
> This is a multi-part message in MIME format.
>
> ------=_NextPart_000_0156_01C6BFF2.0562F500
> Content-Type: text/plain;
>       charset="koi8-r"
> Content-Transfer-Encoding: quoted-printable
>
> Why world's leading security companies don't take care of their =
> security?=20
>
> I`ve published some of XSS vulnerabilities in my blog and forwarded them =
> to full-disclosure. But it seems like leading security companies don`t =
> even think of fixing these bugs. Cisco, Microsoft, Symantec, NSA, =
> F-Secure, AOL, Sun, IBM, eEye still have vulnerabilities in their web =
> sites. Is there any chance to protect ourselves from this threat? How =
> can we trust these companies, if their web sites may allow hackers to =
> compromise our computers and get access to our bank accounts?
>
>
>
> Demostration exploit of XSS vulnerability at Verisign is availabe at =
> http://www.securitylab.ru/verisign.php
>
>
>
> Other vulnerabilities cat be found at =
> http://www.securitylab.ru/blog/tecklord/?category=3D19
>
>
>
> Have a nice day,
>
> Valery
>
>
>
>
>
> ------=_NextPart_000_0156_01C6BFF2.0562F500
> Content-Type: text/html;
>       charset="koi8-r"
> Content-Transfer-Encoding: quoted-printable
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML><HEAD>
> <META http-equiv=3DContent-Type content=3D"text/html; charset=3Dkoi8-r">
> <META content=3D"MSHTML 6.00.3790.2706" name=3DGENERATOR>
> <STYLE></STYLE>
> </HEAD>
> <BODY bgColor=3D#ffffff>
> <DIV><FONT size=3D2><SPAN lang=3DEN-US style=3D"mso-ansi-language: =
> EN-US"><FONT=20
> size=3D3><FONT face=3D"Times New Roman">
> <P class=3DMsoNormal style=3D"MARGIN: 0cm 0cm 0pt"><SPAN lang=3DEN-US=20
> style=3D"mso-ansi-language: EN-US"><FONT face=3D"Times New Roman">Why =
> world&#8217;s=20
> leading security companies don&#8217;t take care of their security? =
> <?xml:namespace=20
> prefix =3D o ns =3D "urn:schemas-microsoft-com:office:office"=20
> /><o:p></o:p></FONT></SPAN></P>
> <P class=3DMsoNormal style=3D"MARGIN: 0cm 0cm 0pt"><SPAN lang=3DEN-US=20
> style=3D"mso-ansi-language: EN-US"><FONT face=3D"Times New Roman">I`ve =
> published=20
> some of XSS vulnerabilities in my blog and forwarded them to =
> full-disclosure.=20
> But it seems like leading security companies don`t even think of fixing =
> these=20
> bugs. Cisco, Microsoft, Symantec, NSA, F-Secure, AOL, Sun, IBM, =
> eEye&nbsp;still=20
> have vulnerabilities in their web sites. Is there any chance to protect=20
> ourselves from this threat? How can we trust these companies, if their =
> web sites=20
> may allow hackers to compromise our computers and get access to our bank =
>
> accounts?</FONT></SPAN></P></FONT></FONT></SPAN>
> <P class=3DMsoNormal style=3D"MARGIN: 0cm 0cm 0pt"><SPAN lang=3DEN-US=20
> style=3D"mso-ansi-language: EN-US"><FONT size=3D3><FONT=20
> face=3D"Times New Roman"></FONT></FONT></SPAN>&nbsp;</P>
> <P class=3DMsoNormal style=3D"MARGIN: 0cm 0cm 0pt"><SPAN lang=3DEN-US=20
> style=3D"mso-ansi-language: EN-US"><FONT size=3D3><FONT=20
> face=3D"Times New Roman">Demostration exploit of&nbsp;XSS vulnerability =
> at=20
> Verisign is availabe at <A=20
> href=3D"http://www.securitylab.ru/verisign.php";>http://www.securitylab.ru=
> /verisign.php</A></FONT></FONT></SPAN></P>
> <P class=3DMsoNormal style=3D"MARGIN: 0cm 0cm 0pt"><SPAN lang=3DEN-US=20
> style=3D"mso-ansi-language: EN-US"><FONT face=3D"Times New Roman"=20
> size=3D3></FONT></SPAN>&nbsp;</P>
> <P class=3DMsoNormal style=3D"MARGIN: 0cm 0cm 0pt"><SPAN lang=3DEN-US=20
> style=3D"mso-ansi-language: EN-US"><FONT face=3D"Times New Roman" =
> size=3D3>Other=20
> vulnerabilities cat be found at <A=20
> href=3D"http://www.securitylab.ru/blog/tecklord/?category=3D19";>http://ww=
> w.securitylab.ru/blog/tecklord/?category=3D19</A></FONT></SPAN></P>
> <P class=3DMsoNormal style=3D"MARGIN: 0cm 0cm 0pt"><SPAN lang=3DEN-US=20
> style=3D"mso-ansi-language: EN-US"><FONT face=3D"Times New Roman"=20
> size=3D3></FONT></SPAN>&nbsp;</P>
> <P class=3DMsoNormal style=3D"MARGIN: 0cm 0cm 0pt"><SPAN lang=3DEN-US=20
> style=3D"mso-ansi-language: EN-US"><FONT face=3D"Times New Roman" =
> size=3D3>Have a nice=20
> day,</FONT></SPAN></P>
> <P class=3DMsoNormal style=3D"MARGIN: 0cm 0cm 0pt"><SPAN lang=3DEN-US=20
> style=3D"mso-ansi-language: EN-US"><FONT face=3D"Times New Roman"=20
> size=3D3>Valery</FONT></SPAN></P>
> <P class=3DMsoNormal style=3D"MARGIN: 0cm 0cm 0pt"><SPAN lang=3DEN-US=20
> style=3D"mso-ansi-language: EN-US"><FONT face=3D"Times New Roman"=20
> size=3D3></FONT></SPAN>&nbsp;</P>
> <P class=3DMsoNormal style=3D"MARGIN: 0cm 0cm 0pt"><SPAN lang=3DEN-US=20
> style=3D"mso-ansi-language: EN-US"><FONT size=3D3><FONT=20
> face=3D"Times New =
> Roman"><o:p></o:p></FONT></FONT></SPAN>&nbsp;</P></FONT></DIV></BODY></HT=
> ML>
>
> ------=_NextPart_000_0156_01C6BFF2.0562F500--
>
>
> --===============0237947780==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> --===============0237947780==--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/