Yes, I have notified the newspapers, although I have yet to receive a response. People, for some reason, do nto consider XSS to be as serious as it is. I published an XSS vulnerability on Secunia for a popular guestbook http://secunia.com/advisories/17159/ because a lot of businesses were using it. There have been no updates yet. Similarly, I notified a popular freeware site-search tool of their vulnerabilities, no updates either.
In this case, however, the possibilities are far less heinous. Perhaps it would be possible for a crafty enough hacker to steal an individual's login information to their newspaper subscription, but the escalation from their is not nearly as dangerous as an XSS exploit on a bank or ecommerce site. Russ > Russell Jones wrote: > >>I had to do it - did you check out my site http://www.xssfools.com ? >> >> > I trust that you brought the XSS bugs to the attention of the authors of > the various websites? There are far more devious and irresponsible > things to be done with XSS, and your site is essentially providing a > fast and easy template to exploit known bugs with their websites. > That's all well and good, imho, if you at least sent an email to the > appropriate contact emails, and they ackowledged it's a bug and don't > care. I'm sure I don't need to point out some of the potentially bad > things that can be done with XSS, from site-cooking stealing to > attempting to fool the admins into visiting the URL to steal passwords / > elevated priviledges, confidence schemes, email address harvesting (from > logged in users), etc, etc. > > Please, tinker. But tinker responsibly. > Aaron S. Joyner > -- > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > TriLUG Organizational FAQ : http://trilug.org/faq/ > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ > -- Russell P. Jones Chief Information Officer Virante Incorported http://www.virante.com -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
