[Owasp-delhi] Rediff Search engine XSS Vulnerability

Nilesh Kumar (India) Nilesh.Kumar at sdgc.com
Mon May 18 01:49:11 EDT 2009

Hi Nitin,


     I had contacted one guy Salil via LinkedIn --as you can't find a
single e-mail id on Rediff to contact for security incidents-told him
about the issue. He is Associate Director, Product Development in
Rediff. He accepted the invitation and gave his mail id '
salilc at rediff.co.in <mailto:salilc at rediff.co.in> ' to send the details.

This is Salil's profile 


Later on I sent him the details in form of an advisory. If you want, can
send the same to you too. It reports XSS as well as 'Blind SQL
Injection' on their site.


Attached is the mail conversation with Salil.




Nilesh Kumar CEH ISMS LA

Security Specialist

Governance,Risk &  Compliance (GRC)



SDG Software India Pvt. Ltd. 
A-10, Sector 2,NOIDA 201301, (UP), INDIA 
Website: www.sdgc.com 

Please Note: The e-mail content is intended for the sole use of the
intended recipient/s and may contain material that is CONFIDENTIAL AND
PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying
or distribution or forwarding of any or all of the contents in this
message is STRICTLY PROHIBITED. If you have erroneously received this
message, please delete it immediately and notify the sender. Before
opening any attachments please check them for viruses and defects.


From: owasp-delhi-bounces at lists.owasp.org
[mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Nitin Saxena
Sent: Monday, May 18, 2009 10:55 AM
To: nileshkumar83 at gmail.com; Abhay Bhargav
Cc: owasp-delhi at lists.owasp.org
Subject: Re: [Owasp-delhi] Rediff Search engine XSS Vulnerability


Abhay / Nilesh,


Let me take this to there higher authorities, can you help me by passing
on the communications that you have sent to Rediff.com initially.



Nitin Saxena

Lead Events and Communications Committee

OWASP Delhi Chapter

	----- Original Message ----- 

	From: nileshkumar83 at gmail.com 

	To: Abhay Bhargav <mailto:ab at sisa.co.in>  

	Cc: owasp-delhi at lists.owasp.org 

	Sent: Saturday, May 16, 2009 11:35 AM

	Subject: Re: [Owasp-delhi] Rediff Search engine XSS


	Yes Abhay,  I agree, but they don't seem to be agree with us! :)
	Have you reported them the issue? I doubt they will work on it. 

	Thanks & Regards,
	Nilesh Kumar,
	Security Specialist | Governance Risk Compliance
	Mobile- +91-9891524880


	Owasp-delhi mailing list
	Owasp-delhi at lists.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090518/060e51df/attachment-0001.html 
-------------- next part --------------
An embedded message was scrubbed...
From: "Salil" <salilc at rediff.co.in>
Subject: Re: Security_Advisory
Date: Mon, 2 Feb 2009 09:05:24 +0530
Size: 5338
Url: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090518/060e51df/attachment-0001.mht 

More information about the Owasp-delhi mailing list