[OWASP-Bangalore] [Owasp-delhi] iframes injected into premiere educational institutes site
gunwant.s at gmail.com
Thu Oct 8 03:14:13 EDT 2009
On Thu, Oct 8, 2009 at 12:27 PM, <owasp-bangalore-owner at lists.owasp.org>wrote:
> I'm sorry, this list requires you to be subscribed. If you feel you
> should be on this list, try subscribing first.
> ---------- Forwarded message ----------
> From: Gunwant Singh <gunwant.s at gmail.com>
> To: "praveen_recker ." <praveen_recker at sify.com>
> Date: Thu, 8 Oct 2009 12:35:07 +0530
> Subject: Re: [Owasp-delhi] iframes injected into premiere educational
> institutes site
> Hi Praveen,
> Its appreciative and encouraging that your intent is good so to inform and
> get the university guys fix the aforementioned vulnerability.
> Notwithstanding, it is very much vital for us that we should comply with
> the policies of a "Responsible Disclosure of the vulnerabilities".
> Just for being safe in the first place and start the conversation with "I
> tried to inform the guys but of no luck" is not an excuse for disclosing the
> vulnerability in public. Believe me, its not appropriate for "us" ethically
> or legally to stir up such instigations while we talk about responsibly
> disclosing the flaws.
> I just wanted to bring the fact to the notice of the OWASP community (and
> moderators ofcourse) that this should be happening through appropriate
> channels first rather than appropriate mailing lists. To my surprise, some
> guy disclosed an XSS vulnerability in a popular railway reservation web
> application some time ago. Are we sure that the respective administrators
> are following the mailing lists while we talk about the flaws and the
> exploits? I hopefully anticipate that you are getting what I am talking
> about but if you are still perplexed what I am actually referring to, you
> may want to have a look at these:
> 2. http://www.cert.org/kb/vul_disclosure.html
> 3. http://www.dhs.gov/xlibrary/assets/vdwgreport.pdf
> Hope that you (and everyone of us) will find these useful and not to blank
> out, no offense at all :)
> Warm regards,
> On Tue, Oct 6, 2009 at 11:51 PM, praveen_recker . <praveen_recker at sify.com
> > wrote:
>> Hi OWASP,
>> I am writing this such that it can be informed to concerned authorities.
>> I tried to find mail id of the respective institue to inform them but
>> could'nt find any.
>> Details are as follows....
>> Visit to anypage on* http://www.nagarjunauniversity.ac.in*
>> and right click to "View Source", we'll find the following site embedded
>> in iframe *http://bale.ws/show.php*
>> When we open above site it gets redirected to *
>> http://superpupermegacasino.com/* which hosts *SmartDownload.exe*
>> Details of the EXE at virustotal is shown as *Win32/CasOnline!Adware*
>> the page has eval() and base64_decode() methods. When we decode the base64
>> content site *esli.tw* is embedded.
>> There is one more site embedded *http://b.nt002.cn/E/J.JS*
>> When we visit few pages on this site and if any AV is installed on ur
>> machine (McAfee AntiVirus is installed in my case and triggers PDF-Exploit
>> alert) it should trigger some alert.
>> Interested folks can further analyze. Please inform concerned guys from
>> Nagarjuna University.
>> Best Regards,
>> Praveen Darshanam,
>> Security Researcher
>> Owasp-delhi mailing list
>> Owasp-delhi at lists.owasp.org
> Gunwant Singh
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Bangalore