[Owasp-delhi] Rediff Vulnerability

Nitin Saxena nitins at cybermedia.co.in
Thu May 28 03:17:06 EDT 2009


They may have started rectifying the vulnerabilities at moment, let's wait for a few days more and see if it is corrected.

Regards
Nitin Saxena
  ----- Original Message ----- 
  From: Nilesh Kumar (India) 
  To: nitins at cybermedia.co.in ; abhay.bhargav at sisa.co.in 
  Cc: owasp-delhi at lists.owasp.org 
  Sent: Thursday, May 28, 2009 12:34 PM
  Subject: FW: [Owasp-delhi] Rediff Vulnerability


           Sorry, still not fixed completely. Even on main page itself it is restricting scripts in simple form .but not encoded ones. ;)

   Apart from this every second search module is suffering like Product search, Shopping, Matcmaker, Astrology, Jobs endless.

   Wherever is search module..high chance of vulnerability.

   

  Abhay, main page search engine might be executing only encoded ones, but search modules on other pages still happily executing normal scripts. J

   

  Just an eyewash J from Rediff.

   

  Thanks,

  Nilesh Kumar CEH ISMS LA

  Security Specialist

  Governance,Risk &  Compliance (GRC)
  ________________________________________________________________________ 

  Cell:+91-9891524880 


  SDG Software India Pvt. Ltd. 
  A-10, Sector 2,NOIDA 201301, (UP), INDIA 
  Website: www.sdgc.com 

  Please Note: The e-mail content is intended for the sole use of the intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distribution or forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you have erroneously received this message, please delete it immediately and notify the sender. Before opening any attachments please check them for viruses and defects.

   

  From: Nilesh Kumar (India) 
  Sent: Thursday, May 28, 2009 11:00 AM
  To: 'Nitin Saxena'; 'abhay.bhargav at sisa.co.in'
  Cc: owasp-delhi at lists.owasp.org
  Subject: RE: [Owasp-delhi] Rediff Vulnerability

   

  That's great!

   

  Thanks a lot Nitin for your initiatives!

  It only led to getting mail from one Rediff Authority to me that issue will be solved soon, referring my report sent to them couple of months back. Now fixed.

   

  Abhay, good job done!

   

  Thanks,

  Nilesh Kumar CEH ISMS LA

  Security Specialist

  Governance,Risk &  Compliance (GRC)

  http://nileshkumar83.blogspot.com 
  ________________________________________________________________________ 

  Cell:+91-9891524880 


  SDG Software India Pvt. Ltd. 
  A-10, Sector 2,NOIDA 201301, (UP), INDIA 
  Website: www.sdgc.com 

  Please Note: The e-mail content is intended for the sole use of the intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distribution or forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you have erroneously received this message, please delete it immediately and notify the sender. Before opening any attachments please check them for viruses and defects.

   

  From: owasp-delhi-bounces at lists.owasp.org [mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of SISA Abhay Bhargav
  Sent: Wednesday, May 27, 2009 7:58 PM
  To: owasp-delhi at lists.owasp.org
  Subject: [Owasp-delhi] Rediff Vulnerability

   

  Hi All

   

  I am pleased to see that the Rediff Search XSS issue has been fixed. Although I reported the issue to Rediff, I would like to thank some members of OWASP Delhi for having taken the matter to a higher plane and reporting it to someone who has been proactive. 

   

  Unfortunately, several other Rediff sites are as vulnerable to XSS as ever. I will probably go ahead and report this issue as well. Hopefully it gets sorted out as quickly as the previous one. 

   

  Check it out: http://citadelnotes.blogspot.com

   

  Regards

  Abhay Bhargav

  CISSP, CPA, CISA, PCI QSA, OCTAVE Implementer



  SISA Information Security (P) Ltd| Ph 91 80 41153769| Fx 91 80 41153796

   

   

   

   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090528/fa541df8/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1875 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090528/fa541df8/attachment-0001.jpe 


More information about the Owasp-delhi mailing list