[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Vulnerabilities in CMS MYsite
- To: MustLive <mustlive@xxxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Vulnerabilities in CMS MYsite
- From: "Jan G.B." <ro0ot.w00t@xxxxxxxxxxxxxx>
- Date: Mon, 27 Sep 2010 17:36:59 +0200
2010/9/25 MustLive <mustlive@xxxxxxxxxxxxxxxxxx>:
> Affected products:
>
> All versions of CMS MYsite before last one where vulnerabilities were fixed
> (mostly).
Sorry... what? What is last one where vulns?
Mostly lesser?
>
> Timeline:
>
> 2010.06.29 - announced at my site and later informed developers of CMS.
Bad boy!
> Developers quickly answered that they'd look at them.
Looked at whom?
> 2010.09.25 - disclosed at my site. Developers didn't inform me when they
> fixed the holes, but today I found that they already fixed holes (at least
> at their own site). But I note, that even XSS is fixed, but not efficiently,
> so at turned off mq at the site it's possible to conduct XSS attack,
> particularly with using of MouseOverJacking.
>
Yeah! Whatever you say, man.
But for the interested user without any clue one might add, that there
is no such thing as "MouseoverJacking". What you described as
"MouseoverJacking" is a simple XSS bug where the attacker (you)
inserts .. erm... stupid or unnecessary code.
See also
http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2009-12/msg00500.html
Regards
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/