tool
(http://websecurity.com.ua/davoset/). This is Bots Strike Back Edition.
As the world knows, last week Putin declared war against Ukraine
(https://soundcloud.com/mustlive/war-against-ukraine). So the army of bots
will come in handy to strike back against dictator.
Video demonstration of DAVOSET
-in domain restriction functionality and described
method of bypass protection against automated requests introduced in version
3.2. So even the latest version is vulnerable to IAA.
Best wishes regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
to IAA.
Best wishes regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored
the first video in Internet which
shows live tables corruption attack (in real time). And I made for that site
100% reproducible DoS.
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
- Original Message -
From: Timothy Goddard
To: na
to fix holes in CMS and at web site, but didn't
do it.
2014.02.15 - disclosed at my site (http://websecurity.com.ua/6860/).
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We
wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
advisory and WP is still vulnerable (and
also I described DoS vulnerability in protection functionality against this
DoS attack).
If Mustlive has any real and concrete information (URL, exploit code),
please share with us.
All real and concrete information is in my 2009's advisory and 2012's
article
-in-mysql/).
Link to the video with my WordPress DoS exploit
(http://www.youtube.com/watch?v=kwv5ni_qxXs). A proof of this vulnerability
in WP and of the attack described in the article.
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
- Original
of this vulnerability in WP and of the attack
described in the article.
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full
://websecurity.com.ua/6987/).
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http
different vulnerabilities
in CF7.
2013.10.09 - plugin version 3.5.3 was released (with fix for the first
hole).
2013.10.09 - announced at my site about new holes.
2014.01.28 - disclosed at my site (http://websecurity.com.ua/6806/).
Best wishes regards,
MustLive
Administrator of Websecurity web site
to fix
their holes for many years).
In total there are 141 zombie-services in the list, which are ready to
strike against ill-intentioned regime.
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full
over social networks, as I did last night in
my accounts.
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure
video translation in my Twitter account).
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted
have come, so lists of zombies can be easily extended.
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
the first time, 100% CPU consumption on Linux
works all the time). In Mozilla Firefox 3.0.19, 10.0.7 ESR, 15.0.1 and 26 -
freezing of the browser and BSOD of the OS.
I have disclosed it at my site (http://websecurity.com.ua/6939/).
Best wishes regards,
MustLive
Administrator of Websecurity web
).
- At 15.02.2013 I disclosed at my site about IBM Lotus Domino.
- At 30.12.2013 I disclosed at my site about IBM Lotus Notes Traveler
(http://websecurity.com.ua/6951/).
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
- announced at my site.
2013.10.26 - informed developers.
2013.12.19 - disclosed at my site about Dewplayer.
2013.12.24 - disclosed at my site about plugins
(http://websecurity.com.ua/6931/).
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
at my site (http://websecurity.com.ua/6831/).
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted
, but not this
time. So I've blacklisted you for trolling and you should never comment on
my letters not to my e-mail address, nor to the list.
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
- Original Message -
From: Julius Kivimäki
To: MustLive
Cc
of the third part of
these holes.
These are URL Redirector Abuse and Cross-Site Scripting vulnerabilities in
WordPress. These are just few from multiple such holes in WP.
I informed WordPress developers about the first two redirector holes in 2007
(and proposed a fix, which I released in my MustLive
:
2013.11.30 - disclosed at my site (http://websecurity.com.ua/6906/).
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure
, etc.
Timeline:
2013.11.30 - disclosed at my site (http://websecurity.com.ua/6905/).
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe
(they didn't specify the details).
Vulnerable are WordPress 3.5.1 and previous versions.
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk
,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
- Original Message -
From: Ryan Dewhurst
To: MustLive
Cc: submissi...@packetstormsecurity.org ; full-disclosure
Sent: Saturday, November 30, 2013 10:19 PM
Subject: Re: [Full-disclosure] Vulnerabilities hiddenly
around the world, especially for protests.
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
- Original Message -
From: psy r...@lordepsylon.net
To: MustLive mustl...@websecurity.com.ua
Cc: full-disclosure@lists.grok.org.uk
Sent: Wednesday
there was added new service into full list of zombies,
removed non-working services from lists of zombies and fixed one bug. So now
you have up to date software with fresh lists of zombies for participating
in protests actions.
Best wishes regards,
MustLive
Administrator of Websecurity web site
http
about
multiple hiddenly fixed vulnerabilities in last versions of WordPress.
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full
.
Full path disclosure (WASC-13):
In function get_allowed_mime_types().
In function set_url_scheme().
In function comment_form().
Vulnerable are WordPress 3.6 and previous versions.
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
- announced at my site.
2013.10.01 - informed developer.
2013.10.03-21 - conversation with developer about this and other
vulnerabilities in CF7.
2013.10.09 - plugin version 3.5.3 was released.
2013.11.21 - disclosed at my site (http://websecurity.com.ua/6799/).
Best wishes regards,
MustLive
DoS Exploit.
http://websecurity.com.ua/title
!-- Made by MustLive based on exploit by Asesino04 for IE7
(http://1337day.com/exploit/21290) --
/head
body
table style=table-layout:fixed
col id=132 width=41 span=1nbsp;/col
/table
script
function over_trigger() {
var obj_col = document.getElementById(132
.
2013.10.15 - developers released InstantCMS 1.10.3 without fixing any
informed vulnerabilities.
2013.11.15 - disclosed at my site (http://websecurity.com.ua/6785/).
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
:
--
Cross-Site Scripting (WASC-08):
XSS in files add_playlist_record.php and settings_form.php.
LBG Zoominoutslider XSS.html
html
head
titleLBG Zoom In/Out Effect Slider for WordPress XSS exploit (C) 2013
MustLive. http://websecurity.com.ua/title
/head
body onLoad=document.hack.submit
released video demonstration of DAVOSET:
http://www.youtube.com/watch?v=RKi35-f346I
So all vulnerable web applications with affected versions of Spring
Framework can be used for attacks on other sites via XXE Injection.
Best wishes regards,
MustLive
Administrator of Websecurity web site
http
by cookies). And was added support of setting ports. Also there were added
new services into full list of zombies (including a cookies protected site).
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
/6653/).
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http
at my site
(http://websecurity.com.ua/6731/).
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
these vulnerabilities at my site
(http://websecurity.com.ua/6727/).
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure
.
2013.07.11 - informed developers.
2013.08.23 - disclosed at my site (http://websecurity.com.ua/6642/).
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http
it, since Avaya was
not responding.
2013.08.20 - disclosed at my site (http://websecurity.com.ua/6717/).
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http
regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
2013.07.14 - informed developers about the second part of vulnerabilities.
2013.08.13 - disclosed at my site (http://websecurity.com.ua/6550/).
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure
/booleanValue
/dt
/lol
So all servers with affected versions of Sybase EAServer can be used for
attacks on other sites via XXE.
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe
wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
of ZeroClipboard.
2013.04.17 - announced at my site and later informed developers of WPtouch
and WPtouch Pro.
2013.08.03 - disclosed at my site (http://websecurity.com.ua/6454/).
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
://websecurity.com.ua/6535/).
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia
vulnerabilities at web sites for conducting DoS and DDoS attacks. Also there
were added new services into full list of zombies.
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua___
Full-Disclosure - We believe
):
http://site/plugins/system/plugin_googlemap3/plugin_googlemap3_kmlprxy.php?url=site2/xss.html1e17f7d3d74903775e5c524dbe2cd8f1=1
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We
, which I checked and found multiple vulnerabilities in this
plugin, which I disclosed recently.
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http
Image Manager AFU.html
html
head
titleTinyMCE Image Manager Arbitrary File Uploading exploit (C) 2013
MustLive. http://websecurity.com.ua/title
/head
body onLoad=document.hack.submit()
form name=hack
action=http://site/tiny_mce/plugins/images/connector/php/; method=post
input type=hidden name
.
Keep working on your software. Concerning your release of v.0.2. Think about
making more detailed changelog (not just mention concerning release of new
version, but with detailed description of changes).
Best wishes regards,
MustLive
Administrator of Websecurity web site
http
?url=%3Cbody%20onload=alert(document.cookie)%3E
Full path disclosure (WASC-13):
http://site/plugins/content/plugin_googlemap2_proxy.php
Besides plugin_googlemap2_proxy.php, also happens
plugin_googlemap3_proxy.php (but it has other path at web sites).
Best wishes regards,
MustLive
Administrator
,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
in readme.txt - added descriptions of different
attacks, which I wrote about in my articles. So it must become easier for
new users of the program to understand it.
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
CosmoThemes about vulnerabilities in their I Love It
New theme.
2013.07.11 - disclosed at my site (http://websecurity.com.ua/6646/).
2013.07.12 - informed developers about vulnerabilities in their I Love It
theme.
Best wishes regards,
MustLive
Administrator of Websecurity web site
http
when search string starts from http:// or https://.
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
site.
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http
regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
- Original Message -
From: Julius Kivimдki
To: MustLive
Cc: full-disclosure@lists.grok.org.uk
Sent: Friday, June 21, 2013 7:36 PM
Subject: Re: [Full-disclosure] DDoS attacks via other sites execution tool
Timeline:
2013.06.21 - released WP 3.5.2 with updated version of Moxieplayer.
2013.06.26 - disclosed at my site (http://websecurity.com.ua/6604/).
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
, but not good enough - as I showed in my Refresh DoS attack in 2008
in my project Day of bugs in browsers. So browsers vendors need to improve
their redirect loops protection.
Best wishes regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
- Original
wrote in 2010 concerning Brute Force and Insufficient Authorization
vulnerabilities in WordPress
(http://www.securityfocus.com/archive/1/510274).
wordpress-dos.py
# WordPress Denial of Service exploit
# WordPress 3.4 - 3.5.1
# Author: vnd at vndh.net
# Version by MustLive (http://websecurity.com.ua
-compatible
with previous format.
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored
will work as in WordPress 3.5.2 and previous versions, as it
isn't stopping by the browsers (endless redirect).
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe
will be automatically participating via Looped DoS attack (just by entering
in any way this endless loop).
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
- Original Message -
From: Ryan Dewhurst
To: MustLive
Cc: submissi
in their
Babelfish service, about which I've informed them already in 2009, they
first ignored these holes and after three years completely closed the
service. This is fate of all holed web sites. But there are a lot of other
vulnerable sites, so the lists will be updating.
Best wishes regards,
MustLive
of the tool with
additional improvements.
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted
(http://securityvulns.com/docs29316.html), you can read in corresponding
advisories.
Timeline:
2013.04.11 - announced at my site.
2013.04.12 - informed developers.
2013.06.20 - disclosed at my site (http://websecurity.com.ua/6440/).
Best wishes regards,
MustLive
regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
2013.06.04 - disclosed at my site (http://websecurity.com.ua/6428/).
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure
bypass allows to inject php backdoor into web site (for
executing OS commands), which will not be identified by the plugin.
All details about detecting BWA by the plugin and methods of the bypass are
described in my article.
Best wishes regards,
MustLive
Administrator of Websecurity web site
,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
scanners among plugins for WordPress. Feel free to read it, if this topic is
interesting for you.
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http
/iloveitnew/
http://site/wp-content/themes/iloveitnew/videojs/video-js.php
http://site/wp-content/themes/iloveitnew/videojs/admin.php
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We
).
2013.04.01 - informed developer in detail.
2013.04.03 - announced at my site.
2013.04.04 - the developer planned to fix these holes in new version in
nearest days.
2013.05.18 - disclosed at my site (http://websecurity.com.ua/6416/).
Best wishes regards,
MustLive
Administrator of Websecurity
- informed developer in detail.
2013.04.02 - announced at my site.
2013.04.04 - the developer planned to fix these holes in new version in
nearest days.
2013.05.17 - disclosed at my site (http://websecurity.com.ua/6413/).
Best wishes regards,
MustLive
Administrator of Websecurity web site
http
wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
)
Timeline:
2013.02.18 - informed old and new developers of ZeroClipboard.
2013.03.26 - announced at my site.
2013.03.27 - informed developers of Search and Share.
2013.05.11 - disclosed at my site (http://websecurity.com.ua/6394/).
Best wishes regards,
MustLive
of videojs-youtube had no e-mails in his github
account and the his e-mail mentioned at different web sites was not working
already, so I published my letter on github.
2013.05.07 - Telemeta developers answered and thanked (the only one among
these developers).
Best wishes regards,
MustLive
https://github.com/MustLive/video-js-swf
-
Affected vendors:
-
Earlier Zencoder, now Brightcove
http://videojs.com
--
Details:
--
Cross-Site Scripting (WASC-08):
http://site/video-js.swf?readyFunction=alert(document.cookie
- found vulnerabilities at official web sites of one commercial
CMS with JW Player Pro.
2012.08.18 - informed developers about holes in JW Player Pro.
2012.08.20 - developers fixed three strictly social XSS holes.
Best wishes regards,
MustLive
Administrator of Websecurity web site
http
that they would not fix these holes.
- At 26.04.2013 I've disclosed these vulnerabilities at my site
(http://websecurity.com.ua/5829/).
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We
developers only these three had contact
information).
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
://websecurity.com.ua/6379/).
2013.04.21 - tested version 2.3.0 and found that developers fixed only one
attack vector and didn't make complete fix, as I recommended in March, so I
reminded them and sent them examples of two new XSS.
Best wishes regards,
MustLive
Administrator of Websecurity web site
http
at my site about Colormix theme
(http://websecurity.com.ua/6457/).
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full
:
2013.01.22 - announced at my site.
2013.01.22 - informed developer about vulnerabilities.
2013.02.01 - developer released new version with protection against
Information Leakage.
2013.04.13 - disclosed at my site (http://websecurity.com.ua/6271/).
Best wishes regards,
MustLive
://websecurity.com.ua/6255/).
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored
/watch?v=eihStRWnrX4
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia
regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
was working (on ATI cards) and was not working (on nVidia cards).
And sent them all information they needed.
2013.03.02 - announced at my site.
2013.03.13 - Adobe finished investigation.
2013.04.03 - disclosed at my site (http://websecurity.com.ua/6364/).
Best wishes regards,
MustLive
Administrator
the next identifier: SecurityVulns ID: 12910. If
you want CVE id, then you create it by yourself (as you did) - for this
reason I'm publishing to security mailing lists.
Best wishes regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
1.1.7 from new
repository.
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored
)%27%3EClick%20me%3C/a%3E
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored
and html (e.g. for link injection).
Cross-Site Scripting (WASC-08):
http://site/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
Code will execute after click. It's strictly social XSS.
Best wishes regards,
MustLive
Administrator of Websecurity
to add protection against CSRF
into Q2A 1.6 (it'll be released in 2013) and that he added it to the last
dev-version of Q2A.
2013.03.01 - disclosed at my site (http://websecurity.com.ua/6192/).
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
/websecurity_lists.webappsec.org/2010-January/006033.html)
http://site/assets/swf/tagcloud.swf?mode=tagstagcloud=%3Ctags%3E%3Ca+href=%27javascript:alert(document.cookie)%27+style=%27font-size:+40pt%27%3EClick%20me%3C/a%3E%3C/tags%3E
Best wishes regards,
MustLive
Administrator of Websecurity web site
http
CSRF holes.
2013.01.17 - developer informed about plans to add protection against CSRF
into Q2A 1.6 (it'll be released in 2013) and that he added it to the last
dev-version of Q2A.
2013.02.28 - disclosed at my site (http://websecurity.com.ua/6185/).
Best wishes regards,
MustLive
Administrator
=!alert(document.cookie)//widthheight
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted
://www.slideshare.net/javascripts/plugins/ZeroClipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//widthheight
Best wishes regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
___
Full-Disclosure
1 - 100 of 440 matches
Mail list logo
