Full Disclosure mailing list archives
Re: New vulnerabilities in eSitesBuilder
From: security curmudgeon <jericho () attrition org>
Date: Sat, 16 Apr 2011 19:56:18 -0500 (CDT)
: SecurityVulns ID: 11310. : XSS (WASC-08): : : http://site/console/forget.php?e_mail=%3Cscript%3Ealert(document.cookie)%3C/script%3E&seenform=y How many times are you going to disclose this? http://seclists.org/bugtraq/2010/Jun/189 http://seclists.org/fulldisclosure/2010/Aug/306 http://seclists.org/fulldisclosure/2010/Dec/465 The June disclosure has a timeline indicating you had "announced" it almost two years prior to that: 21.11.2007 - found some of these vulnerabilities. 11.08.2008 - announced at my site. 11.08.2008 - informed admins of web site. 11.08.2008 - found others of these vulnerabilities. 11.02.2009 - disclosed at my site about first vulnerabilities. 05.05.2009 - disclosed at my site about other vulnerabilities. 06.05.2009 - informed admins of web site about other vulnerabilities. 18.06.2010 - disclosed at my site about vulnerabilities in eSitesBuilder (after I found that they concerned with eSitesBuilder). 19.06.2010 - informed developers (in case if owners of vulnerable site didn't informed them in previous years). Seriously, how long can you milk a single XSS here? : 2010.10.08 - announced at my site. : 2010.10.08 - informed developers. : 2010.12.16 - disclosed at my site. : : I mentioned about these vulnerabilities at my site : (http://websecurity.com.ua/4588/). http://websecurity.com.ua/4300/ Several times, yes you did. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: New vulnerabilities in eSitesBuilder security curmudgeon (Apr 17)
- Re: New vulnerabilities in eSitesBuilder Henri Salo (Apr 17)
- Re: New vulnerabilities in eSitesBuilder MustLive (Apr 19)