[Owasp-delhi] Rediff Search engine XSS Vulnerability

Abhay Bhargav ab at sisa.co.in
Fri May 15 08:32:56 EDT 2009


Dear Nilesh

I checked with the XSSed website once I posted this on my blog. But,  
what I found more alarming about the Rediff Search engine was the fact  
that it delivers XSS payloads from and does not encode output which it  
fetches from other website with the reflected XSS script.

Yes, when I visited the xssed site, I also came across several other  
pages with the vulnerability, but I found the search vulnerability to  
be quite serious because of the output encoding issue.

I also encountered the same response from their Customer Care. They  
dont seem to give a hoot.

Regards
Abhay




On May 15, 2009, at 5:54 PM, Nilesh Kumar (India) wrote:

> Hi Abhay!
>
>     It's not new. It has been reported several times.
>
> http://xssed.com/search?key=rediff
> Here you can find all Rediff related XSSs.
>
> Even I had contacted Rediff's Technical Manager Salil Chaudhary and  
> submitted him the details too.
> But when I saw the above link  http://xssed.com/search?key=rediff ,  
> I got the idea how serious are they in dealing with the flaw. J
>
> So I didn’t follow up and today ,after 4 months of reporting, the  
> status is the same. Their every second Search module is flawed. But  
> no use reporting them again.
>
> Rediff is full of vulnerability.
>
> Following is the mail regarding my reporting to them:
> ---------
>
> From: Salil [salilc at rediff.co.in]
> To: Nilesh Kumar (India)
>
> Thanks Nilesh. Appreciate the time taken by you to ship this our  
> way. Will have the team look into em.
>
> Regards,
> Salil
> ----- Original Message -----
> From: Nilesh Kumar (India)
> To: salilc at rediff.co.in
> Sent: Sunday, February 01, 2009 6:39 PM
> Subject: Security_Advisory
>
> Dear Salil,
>
>      As discussed, please find Security Advisory Report for Rediff  
> attached here.
>
> What suprised me was that yours is a world class Web site and yet  
> the vulnerabilities are quite simple to detect and that too on your  
> home page's 'Search' module.
> Hope you will find it useful and informational.
> In case of any queries just revert back to me.I will be glad to help  
> you out.
>
> Waiting for your response.
>
> Thanks,
> Nilesh Kumar,
> Security Specialist, SDG SIPL,
> Noida
>
> ---------
>
>
> Nilesh Kumar CEH ISMS LA
> Security Specialist
> Governance,Risk &  Compliance (GRC)
> ________________________________________________________________________
> Cell:+91-9891524880
>
> SDG Software India Pvt. Ltd.
> A-10, Sector 2,NOIDA 201301, (UP), INDIA
> Website: www.sdgc.com
>
> Please Note: The e-mail content is intended for the sole use of the  
> intended recipient/s and may contain material that is CONFIDENTIAL  
> AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or  
> copying or distribution or forwarding of any or all of the contents  
> in this message is STRICTLY PROHIBITED. If you have erroneously  
> received this message, please delete it immediately and notify the  
> sender. Before opening any attachments please check them for viruses  
> and defects.
>
> From: owasp-delhi-bounces at lists.owasp.org [mailto:owasp-delhi-bounces at lists.owasp.org 
> ] On Behalf Of Abhay Bhargav
> Sent: Wednesday, May 13, 2009 8:20 PM
> To: owasp-delhi at lists.owasp.org
> Subject: [Owasp-delhi] Rediff Search engine XSS Vulnerability
>
> Hi All
>
> I have discovered that Rediff's search engine is vulnerable to Cross  
> Site Scripting flaws due to output encoding issues.
>
> Read all about it and see the PoC at my blog http://citadelnotes.blogspot.com/
>
> Regards
> Abhay Bhargav
> CISSP, CISA, CPA, PCI QSA, OCTAVE Implementer
> SISA Information Security Pvt.Ltd.
> Bangalore, India
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090515/6daaffa3/attachment-0001.html 


More information about the Owasp-delhi mailing list