WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

XSS/Script Injection on my personal site

From: "arian.evans" <arian.evans () anachronic com>
Date: Fri, 28 Apr 2006 12:29:40 -0500
In light of the recent Hacker vs. Humanitarian threads
on these lists in the last few days, I find the 580+ IDS
alerts I just got yesterday poignant, and thought some
of you on the lists might as well:

Someone in Atlanta on Cox cable is once again giving
my personal site a "free pen test". I am going to assume
this is related to notifying various vendors of specific
weaknesses in my hosted apps, and attack types that the
vendor tools ineffectively test for.

For the last time, please contact me personally *before*
starting these tests if you'd be so kind. Do you wait
for me to go out on the road so you can fill my webmail
inbox with IDS alerts? ***Not cool.***

I have limited disk space and have to watch this box
closely or everything on it gets DoS'd. Or, alternately,
I can just not help anyone at all.

I have not shipped off sample code and details to all
the vendors yet, and was waiting to publicly release
examples until all vendors were notified.

***

I have been giving notified parties an open invite to
use apps I host as a testbed, but my ONE request is to
please co-ordinate testing w/me so that you do not DoS
my box. Thanks.

***PostNuke Flaws***

BTW// Had you asked, I could have saved you time
wasted testing irrelevant fields, and told you that
PostNuke has issues with the Func param in Blocks
and with the OP param in several places as well.

Myself and one of my colleagues have attempted to
contact the PostNuke team for about six months now,
and they silently fixed one of the issues we notified
them about in the newest code base, whilst ignoring
us concerning the rest of them.

I did get one response pointing me to where I could
diff their code and find the silent changes myself,
but I lost all personal email in January and no longer
have that contact history,

Arian J. Evans
+1.913.378.3571 [mobile]








-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. Change the way you 
think about application security testing - See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: