[Owasp-delhi] FW: Rediff Vulnerability

Nilesh Kumar (India) Nilesh.Kumar at sdgc.com
Thu May 28 03:04:25 EDT 2009


         Sorry, still not fixed completely. Even on main page itself it
is restricting scripts in simple form ...but not encoded ones. ;)

 Apart from this every second search module is suffering like Product
search, Shopping, Matcmaker, Astrology, Jobs endless.

 Wherever is search module..high chance of vulnerability.

 

Abhay, main page search engine might be executing only encoded ones, but
search modules on other pages still happily executing normal scripts. J

 

Just an eyewash J from Rediff.

 

Thanks,

Nilesh Kumar CEH ISMS LA

Security Specialist

Governance,Risk &  Compliance (GRC)
________________________________________________________________________


Cell:+91-9891524880 


SDG Software India Pvt. Ltd. 
A-10, Sector 2,NOIDA 201301, (UP), INDIA 
Website: www.sdgc.com 

Please Note: The e-mail content is intended for the sole use of the
intended recipient/s and may contain material that is CONFIDENTIAL AND
PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying
or distribution or forwarding of any or all of the contents in this
message is STRICTLY PROHIBITED. If you have erroneously received this
message, please delete it immediately and notify the sender. Before
opening any attachments please check them for viruses and defects.

 

From: Nilesh Kumar (India) 
Sent: Thursday, May 28, 2009 11:00 AM
To: 'Nitin Saxena'; 'abhay.bhargav at sisa.co.in'
Cc: owasp-delhi at lists.owasp.org
Subject: RE: [Owasp-delhi] Rediff Vulnerability

 

That's great!

 

Thanks a lot Nitin for your initiatives!

It only led to getting mail from one Rediff Authority to me that issue
will be solved soon, referring my report sent to them couple of months
back. Now fixed.

 

Abhay, good job done!

 

Thanks,

Nilesh Kumar CEH ISMS LA

Security Specialist

Governance,Risk &  Compliance (GRC)

http://nileshkumar83.blogspot.com 
________________________________________________________________________


Cell:+91-9891524880 


SDG Software India Pvt. Ltd. 
A-10, Sector 2,NOIDA 201301, (UP), INDIA 
Website: www.sdgc.com 

Please Note: The e-mail content is intended for the sole use of the
intended recipient/s and may contain material that is CONFIDENTIAL AND
PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying
or distribution or forwarding of any or all of the contents in this
message is STRICTLY PROHIBITED. If you have erroneously received this
message, please delete it immediately and notify the sender. Before
opening any attachments please check them for viruses and defects.

 

From: owasp-delhi-bounces at lists.owasp.org
[mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of SISA Abhay
Bhargav
Sent: Wednesday, May 27, 2009 7:58 PM
To: owasp-delhi at lists.owasp.org
Subject: [Owasp-delhi] Rediff Vulnerability

 

Hi All

 

I am pleased to see that the Rediff Search XSS issue has been fixed.
Although I reported the issue to Rediff, I would like to thank some
members of OWASP Delhi for having taken the matter to a higher plane and
reporting it to someone who has been proactive. 

 

Unfortunately, several other Rediff sites are as vulnerable to XSS as
ever. I will probably go ahead and report this issue as well. Hopefully
it gets sorted out as quickly as the previous one. 

 

Check it out: http://citadelnotes.blogspot.com

 

Regards

Abhay Bhargav

CISSP, CPA, CISA, PCI QSA, OCTAVE Implementer

  <http://www.sisa.co.in/> 

SISA Information Security (P) Ltd| Ph 91 80 41153769| Fx 91 80 41153796

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090528/35572f24/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1875 bytes
Desc: image001.jpg
Url : https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090528/35572f24/attachment-0001.jpe 


More information about the Owasp-delhi mailing list