[Owasp-delhi] Rediff Vulnerability

Lakshmanan, Sriram sriram_lakshmanan at uhc.com
Thu May 28 04:20:02 EDT 2009


You are right Nitin. 
Rediff, I'm told,  is actually perfoming an assessment of things they
need to fix on all their web presence and also fixing them as they go
along. If any of you have a report on other issues on that site, pass it
along & I can forward it to someone who is corrdinating these XSS's to
be fixed. Nitin, Abyaha and Nilesh are already marked on my previous
communication to that person.
 
Cheers/Sri

________________________________

From: owasp-delhi-bounces at lists.owasp.org
[mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Nitin Saxena
Sent: Thursday, May 28, 2009 12:47 PM
To: Nilesh Kumar (India); abhay.bhargav at sisa.co.in
Cc: owasp-delhi at lists.owasp.org
Subject: Re: [Owasp-delhi] Rediff Vulnerability


They may have started rectifying the vulnerabilities at moment, let's
wait for a few days more and see if it is corrected.

Regards
Nitin Saxena

	----- Original Message ----- 
	From: Nilesh Kumar (India) <mailto:Nilesh.Kumar at sdgc.com>  
	To: nitins at cybermedia.co.in ; abhay.bhargav at sisa.co.in 
	Cc: owasp-delhi at lists.owasp.org 
	Sent: Thursday, May 28, 2009 12:34 PM
	Subject: FW: [Owasp-delhi] Rediff Vulnerability


	         Sorry, still not fixed completely. Even on main page
itself it is restricting scripts in simple form ...but not encoded ones.
;)

	 Apart from this every second search module is suffering like
Product search, Shopping, Matcmaker, Astrology, Jobs endless.

	 Wherever is search module..high chance of vulnerability.

	 

	Abhay, main page search engine might be executing only encoded
ones, but search modules on other pages still happily executing normal
scripts. J

	 

	Just an eyewash J from Rediff.

	 

	Thanks,

	Nilesh Kumar CEH ISMS LA

	Security Specialist

	Governance,Risk &  Compliance (GRC)
	
________________________________________________________________________


	Cell:+91-9891524880 

	
	SDG Software India Pvt. Ltd. 
	A-10, Sector 2,NOIDA 201301, (UP), INDIA 
	Website: www.sdgc.com 
	
	Please Note: The e-mail content is intended for the sole use of
the intended recipient/s and may contain material that is CONFIDENTIAL
AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or
copying or distribution or forwarding of any or all of the contents in
this message is STRICTLY PROHIBITED. If you have erroneously received
this message, please delete it immediately and notify the sender. Before
opening any attachments please check them for viruses and defects.

	 

	From: Nilesh Kumar (India) 
	Sent: Thursday, May 28, 2009 11:00 AM
	To: 'Nitin Saxena'; 'abhay.bhargav at sisa.co.in'
	Cc: owasp-delhi at lists.owasp.org
	Subject: RE: [Owasp-delhi] Rediff Vulnerability

	 

	That's great!

	 

	Thanks a lot Nitin for your initiatives!

	It only led to getting mail from one Rediff Authority to me that
issue will be solved soon, referring my report sent to them couple of
months back. Now fixed.

	 

	Abhay, good job done!

	 

	Thanks,

	Nilesh Kumar CEH ISMS LA

	Security Specialist

	Governance,Risk &  Compliance (GRC)

	http://nileshkumar83.blogspot.com 
	
________________________________________________________________________


	Cell:+91-9891524880 

	
	SDG Software India Pvt. Ltd. 
	A-10, Sector 2,NOIDA 201301, (UP), INDIA 
	Website: www.sdgc.com 
	
	Please Note: The e-mail content is intended for the sole use of
the intended recipient/s and may contain material that is CONFIDENTIAL
AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or
copying or distribution or forwarding of any or all of the contents in
this message is STRICTLY PROHIBITED. If you have erroneously received
this message, please delete it immediately and notify the sender. Before
opening any attachments please check them for viruses and defects.

	 

	From: owasp-delhi-bounces at lists.owasp.org
[mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of SISA Abhay
Bhargav
	Sent: Wednesday, May 27, 2009 7:58 PM
	To: owasp-delhi at lists.owasp.org
	Subject: [Owasp-delhi] Rediff Vulnerability

	 

	Hi All

	 

	I am pleased to see that the Rediff Search XSS issue has been
fixed. Although I reported the issue to Rediff, I would like to thank
some members of OWASP Delhi for having taken the matter to a higher
plane and reporting it to someone who has been proactive. 

	 

	Unfortunately, several other Rediff sites are as vulnerable to
XSS as ever. I will probably go ahead and report this issue as well.
Hopefully it gets sorted out as quickly as the previous one. 

	 

	Check it out: http://citadelnotes.blogspot.com

	 

	Regards

	Abhay Bhargav

	CISSP, CPA, CISA, PCI QSA, OCTAVE Implementer

	  <http://www.sisa.co.in/> 

	SISA Information Security (P) Ltd| Ph 91 80 41153769| Fx 91 80
41153796

	 

	 

	 

	 


This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090528/c4197592/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1875 bytes
Desc: image001.jpg
Url : https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090528/c4197592/attachment-0001.jpe 


More information about the Owasp-delhi mailing list