Re: [Full-disclosure] Cross-Site Scripting attacks via redirectors in different browsers



Hello Tõnu!

I'm glad that you liked my article (and advisories) about Cross-Site
Scripting attacks via redirectors.

You can read my next article on English - Redirectors: the phantom menace
(http://websecurity.com.ua/3495/).

And do not forget, this is feature, not bug :P

First, vulnerability it's not the same as bug, these are different things.
And so in security field words such as vulnerabilities, vulns and holes must
be used, but not "bugs" (to not decrease their level of criticality to
ordinary software errors which are bugs).

Second, you are right, it's feature (and it was well-known aphorism).
Especially it's feature in hacker's hands ;-).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message -----
From: "Tхnu Samuel" <tonu@xxxxxx>
To: "MustLive" mustlive@xxxxxxxxxxxxxxxxxx
Cc: <full-disclosure@xxxxxxxxxxxxxxxxx>
Sent: Saturday, September 19, 2009 8:17 PM
Subject: Re: [Full-disclosure] Cross-Site Scripting attacks via redirectors
in different browsers


I wrote about five method of attacks in the article (via location-header
and
refresh-header redirectors) - about four of them I already posted in
Bugtraq. In this letter I'll inform you about new vulnerable browsers to
those vulnerabilities which I wrote to Bugtraq before.

Thanks, useful info for me at least. And do not forget, this is feature,
not bug :P

Tõnu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: [Full-disclosure] Google open redirect
    ... As for minimal risk I personally don't agree. ... URL Redirections in the past to attack clients of sites all the time. ... until someone leverages one of these vulnerabilities in a large ... web developer as URL redirectors have NO legitimate use from outside ...
    (Full-Disclosure)
  • Re: [Full-disclosure] Google open redirect
    ... developer as URL redirectors have NO legitimate use from outside one's own ... The attack proposed is to find a user who doesn't understand that the ... open redirectors, ... There have been a number of vulnerabilities in just about every possible ...
    (Full-Disclosure)
  • Re: [Full-disclosure] Denial of Service in WordPress
    ... These are Denial of Service vulnerabilities WordPress. ... About XSS vulnerabilities in WordPress, which exist in two redirectors, I ... This attack is similar to looping two redirectors, ...
    (Full-Disclosure)
  • [Full-disclosure] Denial of Service in WordPress
    ... About XSS vulnerabilities in WordPress, which exist in two redirectors, I wrote last year. ... This attack is similar to looping two redirectors, described in my articles Redirectors' hell and Hellfire for redirectors. ...
    (Full-Disclosure)