Full Disclosure mailing list archives
Re: Openware.org IE Fix - Warning
From: Aaron Horst <anthrax101 () yahoo com>
Date: Fri, 19 Dec 2003 06:26:53 -0800 (PST)
Not only does it have memory leaks and buffer overflows, it contains an XSS flaw. <a href="http://www.openwares.org/cgi-bin/exploit.cgi?www.example.com</a><script>alert(unescape("This%20is%20cross%20site%20scripted!"))</script>">http://www.openwares.org/cgi-bin/exploit.cgi?www.example.com</a><script>alert(unescape("This%20is%20cross%20site%20scripted!"))</script></a> Honestly, how can anyone who issues a security patch have such enormous gaping holes in it. I think even Microsoft could do better then this one. This takes a relatively minor bug, and turns it into a wide open security failure. Their site does use cookies to track a session ID, which could lead to a compromise of user accounts when combined with a javascript XSS. admin () openwares org notified. Aaron Horst ===== "A bug. Every system has a bug. The more complex the system, the more bugs. Transactions circling the earth, passing through the computer systems of tens or hundreds of corporate entities, thousands of network switches, millions of lines of code, trillions of integrated— circuit logic gates. Somewhere there is a fault. Sometime the fault will be activated. Now or next year, sooner or later, by design, by hack, or by onslaught of complexity. It doesn’t matter. One day someone will install ten new lines of assembler code, and it will all come down. " -- Ellen Ullman __________________________________ Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing. http://photos.yahoo.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Openware.org IE Fix - Warning Thierry (Dec 19)
- Re: Openware.org IE Fix - Warning petard (Dec 19)
- Re: Openware.org IE Fix - Warning Erik van Straten (Dec 19)
- Re[2]: Openware.org IE Fix - Warning phased (Dec 19)
- Re: Openware.org IE Fix - Warning Erik van Straten (Dec 19)
- <Possible follow-ups>
- Re: Openware.org IE Fix - Warning Aaron Horst (Dec 19)
- Re: Openware.org IE Fix - Warning petard (Dec 19)