Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Vulnerabilities in CMS MYsite

From: "Jan G.B." <ro0ot.w00t () googlemail com>
Date: Mon, 27 Sep 2010 17:36:59 +0200
2010/9/25 MustLive <mustlive () websecurity com ua>:

Affected products:

All versions of CMS MYsite before last one where vulnerabilities were fixed
(mostly).



Sorry... what? What is last one where vulns?
Mostly lesser?



Timeline:

2010.06.29 - announced at my site and later informed developers of CMS.


Bad boy!


Developers quickly answered that they'd look at them.


Looked at whom?


2010.09.25 - disclosed at my site. Developers didn't inform me when they
fixed the holes, but today I found that they already fixed holes (at least
at their own site). But I note, that even XSS is fixed, but not efficiently,
so at turned off mq at the site it's possible to conduct XSS attack,
particularly with using of MouseOverJacking.



Yeah! Whatever you say, man.

But for the interested user without any clue one might add, that there
is no such thing as "MouseoverJacking". What you described as
"MouseoverJacking" is a simple XSS bug where the attacker (you)
inserts .. erm... stupid or unnecessary code.
See also
 http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2009-12/msg00500.html

Regards

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: