2010/9/25 MustLive <[email protected]>: > Affected products: > > All versions of CMS MYsite before last one where vulnerabilities were fixed > (mostly).
Sorry... what? What is last one where vulns? Mostly lesser? > > Timeline: > > 2010.06.29 - announced at my site and later informed developers of CMS. Bad boy! > Developers quickly answered that they'd look at them. Looked at whom? > 2010.09.25 - disclosed at my site. Developers didn't inform me when they > fixed the holes, but today I found that they already fixed holes (at least > at their own site). But I note, that even XSS is fixed, but not efficiently, > so at turned off mq at the site it's possible to conduct XSS attack, > particularly with using of MouseOverJacking. > Yeah! Whatever you say, man. But for the interested user without any clue one might add, that there is no such thing as "MouseoverJacking". What you described as "MouseoverJacking" is a simple XSS bug where the attacker (you) inserts .. erm... stupid or unnecessary code. See also http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2009-12/msg00500.html Regards _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
