Full Disclosure mailing list archives
Re: Vulnerabilities in CMS MYsite
From: "Jan G.B." <ro0ot.w00t () googlemail com>
Date: Mon, 27 Sep 2010 17:36:59 +0200
2010/9/25 MustLive <mustlive () websecurity com ua>:
Affected products: All versions of CMS MYsite before last one where vulnerabilities were fixed (mostly).
Sorry... what? What is last one where vulns? Mostly lesser?
Timeline: 2010.06.29 - announced at my site and later informed developers of CMS.
Bad boy!
Developers quickly answered that they'd look at them.
Looked at whom?
2010.09.25 - disclosed at my site. Developers didn't inform me when they fixed the holes, but today I found that they already fixed holes (at least at their own site). But I note, that even XSS is fixed, but not efficiently, so at turned off mq at the site it's possible to conduct XSS attack, particularly with using of MouseOverJacking.
Yeah! Whatever you say, man. But for the interested user without any clue one might add, that there is no such thing as "MouseoverJacking". What you described as "MouseoverJacking" is a simple XSS bug where the attacker (you) inserts .. erm... stupid or unnecessary code. See also http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2009-12/msg00500.html Regards _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Vulnerabilities in CMS MYsite MustLive (Sep 25)
- Re: Vulnerabilities in CMS MYsite Jan G.B. (Sep 27)