[Owasp-delhi] Rediff Search engine XSS Vulnerability

Nilesh Kumar (India) Nilesh.Kumar at sdgc.com
Fri May 15 08:24:14 EDT 2009


Hi Abhay!

    It's not new. It has been reported several times.


http://xssed.com/search?key=rediff
Here you can find all Rediff related XSSs. 

 

Even I had contacted Rediff's Technical Manager Salil Chaudhary and
submitted him the details too.

But when I saw the above link  http://xssed.com/search?key=rediff , I
got the idea how serious are they in dealing with the flaw. J

 

So I didn't follow up and today ,after 4 months of reporting, the status
is the same. Their every second Search module is flawed. But no use
reporting them again.

 

Rediff is full of vulnerability.

 

Following is the mail regarding my reporting to them:

---------

 

From: Salil [salilc at rediff.co.in]

To: Nilesh Kumar (India)

 

Thanks Nilesh. Appreciate the time taken by you to ship this our way.
Will have the team look into em.

 

Regards,

Salil

----- Original Message ----- 

From: Nilesh Kumar (India) <mailto:Nilesh.Kumar at sdgc.com>  

To: salilc at rediff.co.in 

Sent: Sunday, February 01, 2009 6:39 PM

Subject: Security_Advisory

 

Dear Salil,

 

     As discussed, please find Security Advisory Report for Rediff
attached here.

 

What suprised me was that yours is a world class Web site and yet the
vulnerabilities are quite simple to detect and that too on your home
page's 'Search' module.

Hope you will find it useful and informational.

In case of any queries just revert back to me.I will be glad to help you
out.

 

Waiting for your response.

 

Thanks,

Nilesh Kumar,

Security Specialist, SDG SIPL,

Noida

 

---------

 

 

Nilesh Kumar CEH ISMS LA

Security Specialist

Governance,Risk &  Compliance (GRC)
________________________________________________________________________


Cell:+91-9891524880 


SDG Software India Pvt. Ltd. 
A-10, Sector 2,NOIDA 201301, (UP), INDIA 
Website: www.sdgc.com 

Please Note: The e-mail content is intended for the sole use of the
intended recipient/s and may contain material that is CONFIDENTIAL AND
PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying
or distribution or forwarding of any or all of the contents in this
message is STRICTLY PROHIBITED. If you have erroneously received this
message, please delete it immediately and notify the sender. Before
opening any attachments please check them for viruses and defects.

 

From: owasp-delhi-bounces at lists.owasp.org
[mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Abhay Bhargav
Sent: Wednesday, May 13, 2009 8:20 PM
To: owasp-delhi at lists.owasp.org
Subject: [Owasp-delhi] Rediff Search engine XSS Vulnerability

 

Hi All

 

I have discovered that Rediff's search engine is vulnerable to Cross
Site Scripting flaws due to output encoding issues. 

 

Read all about it and see the PoC at my blog
http://citadelnotes.blogspot.com/

 

Regards

Abhay Bhargav

CISSP, CISA, CPA, PCI QSA, OCTAVE Implementer

SISA Information Security Pvt.Ltd.

Bangalore, India

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090515/2b250397/attachment.html 


More information about the Owasp-delhi mailing list