[Owasp-delhi] Rediff Vulnerability

nileshkumar83 at gmail.com nileshkumar83 at gmail.com
Thu May 28 04:41:58 EDT 2009


Nitin / Sri

   My report sent them already contains few pages mainly on 'ishare' which
are susceptible to blind SQL injection. Which can be used to retrieve
critical information from site using true/false conditions. However I am not
sure those sort URLs still exist or not on the site.

On Thu, May 28, 2009 at 1:54 PM, Nitin Saxena <nitins at cybermedia.co.in>wrote:

>  Sure, at present i had escalated this to some of their senior management.
> If required we will collate our efforts as Delhi OWASP*ians* to get this
> corrected.
>
> If there are any more such escalations to be made in this or other
> context's do let me know, will make it a representation to designated
> authorities.
>
>
> Regards
> Nitin Saxena
>
> ----- Original Message -----
> *From:* Lakshmanan, Sriram <sriram_lakshmanan at uhc.com>
> *To:* Nitin Saxena <nitins at cybermedia.co.in> ; Nilesh Kumar (India)<Nilesh.Kumar at sdgc.com>;
> abhay.bhargav at sisa.co.in
> *Cc:* owasp-delhi at lists.owasp.org
> *Sent:* Thursday, May 28, 2009 1:50 PM
> *Subject:* RE: [Owasp-delhi] Rediff Vulnerability
>
> You are right Nitin.
> Rediff, I'm told,  is actually perfoming an assessment of things they need
> to fix on all their web presence and also fixing them as they go along. If
> any of you have a report on other issues on that site, pass it along & I can
> forward it to someone who is corrdinating these XSS's to be fixed. Nitin,
> Abyaha and Nilesh are already marked on my previous communication to that
> person.
>
> Cheers/Sri
>
>  ------------------------------
> *From:* owasp-delhi-bounces at lists.owasp.org [mailto:
> owasp-delhi-bounces at lists.owasp.org] *On Behalf Of *Nitin Saxena
> *Sent:* Thursday, May 28, 2009 12:47 PM
> *To:* Nilesh Kumar (India); abhay.bhargav at sisa.co.in
> *Cc:* owasp-delhi at lists.owasp.org
> *Subject:* Re: [Owasp-delhi] Rediff Vulnerability
>
>  They may have started rectifying the vulnerabilities at moment, let's
> wait for a few days more and see if it is corrected.
>
> Regards
> Nitin Saxena
>
>  ----- Original Message -----
> *From:* Nilesh Kumar (India) <Nilesh.Kumar at sdgc.com>
> *To:* nitins at cybermedia.co.in ; abhay.bhargav at sisa.co.in
> *Cc:* owasp-delhi at lists.owasp.org
> *Sent:* Thursday, May 28, 2009 12:34 PM
> *Subject:* FW: [Owasp-delhi] Rediff Vulnerability
>
>           Sorry, still not fixed completely. Even on main page itself it
> is restricting scripts in simple form …but not encoded ones. ;)
>
>  Apart from this every second search module is suffering like Product
> search, Shopping, Matcmaker, Astrology, Jobs endless.
>
>  Wherever is search module..high chance of vulnerability.
>
>
>
> Abhay, main page search engine might be executing only encoded ones, but
> search modules on other pages still *happily* executing normal scripts. J
>
>
>
> Just an eyewash J from Rediff.
>
>
>
> Thanks,
>
> *Nilesh Kumar CEH ISMS LA*
>
> Security Specialist
>
> *G*overnance,*R*isk &  *C*ompliance (GRC)
> ________________________________________________________________________
>
> Cell:+91-9891524880
>
>
> *SDG Software India Pvt. Ltd.*
> A-10, Sector 2,NOIDA 201301, (UP), INDIA
> Website: *www.sdgc.com *
>
> *Please Note:* The e-mail content is intended for the sole use of the
> intended recipient/s and may contain material that is* CONFIDENTIAL AND
> PRIVATE COMPANY INFORMATION*. Any review or reliance by others or copying
> or distribution or forwarding of any or all of the contents in this message
> is* STRICTLY PROHIBITED*. If you have erroneously received this message,
> please delete it immediately and notify the sender. Before opening any
> attachments please check them for viruses and defects.
>
>
>
> *From:* Nilesh Kumar (India) *To:* 'Nitin Saxena'; '
> abhay.bhargav at sisa.co.in'
> *Cc:* owasp-delhi at lists.owasp.org
> *Subject:* RE: [Owasp-delhi] Rediff Vulnerability
>
>
>
> That’s great!
> *Sent:* Thursday, May 28, 2009 11:00 AM
>
>
>
> Thanks a lot *Nitin* for your initiatives!
>
> It only led to getting mail from one Rediff Authority to me that issue will
> be solved soon, referring my report sent to them couple of months back. Now
> fixed.
>
>
>
> *Abhay*, good job done!
>
>
>
> Thanks,
>
> *Nilesh Kumar CEH ISMS LA*
>
> Security Specialist
>
> *G*overnance,*R*isk &  *C*ompliance (GRC)
>
> http://nileshkumar83.blogspot.com
> ________________________________________________________________________
>
> Cell:+91-9891524880
>
>
> *SDG Software India Pvt. Ltd.*
> A-10, Sector 2,NOIDA 201301, (UP), INDIA
> Website: *www.sdgc.com *
>
> *Please Note:* The e-mail content is intended for the sole use of the
> intended recipient/s and may contain material that is* CONFIDENTIAL AND
> PRIVATE COMPANY INFORMATION*. Any review or reliance by others or copying
> or distribution or forwarding of any or all of the contents in this message
> is* STRICTLY PROHIBITED*. If you have erroneously received this message,
> please delete it immediately and notify the sender. Before opening any
> attachments please check them for viruses and defects.
>
>
>
> *From:* owasp-delhi-bounces at lists.owasp.org [mailto:
> owasp-delhi-bounces at lists.owasp.org] *On Behalf Of *SISA Abhay Bhargav
> *Sent:* Wednesday, May 27, 2009 7:58 PM
> *To:* owasp-delhi at lists.owasp.org
> *Subject:* [Owasp-delhi] Rediff Vulnerability
>
>
>
> Hi All
>
>
>
> I am pleased to see that the Rediff Search XSS issue has been fixed.
> Although I reported the issue to Rediff, I would like to thank some members
> of OWASP Delhi for having taken the matter to a higher plane and reporting
> it to someone who has been proactive.
>
>
>
> Unfortunately, several other Rediff sites are as vulnerable to XSS as ever.
> I will probably go ahead and report this issue as well. Hopefully it gets
> sorted out as quickly as the previous one.
>
>
>
> Check it out: http://citadelnotes.blogspot.com
>
>
>
> Regards
>
> *Abhay Bhargav*
>
> *CISSP, CPA, CISA, PCI QSA, OCTAVE Implementer*
>
> *[image: cid:image002.jpg at 01C97D81.CC02AB70]* <http://www.sisa.co.in/>
>
> *SISA Information Security (P) Ltd| Ph 91 80 41153769| Fx 91 80 41153796*
>
>
>
>
>
>
>
>
>
> This e-mail, including attachments, may include confidential and/or
> proprietary information, and may be used only by the person or entity
> to which it is addressed. If the reader of this e-mail is not the intended
> recipient or his or her authorized agent, the reader is hereby notified
> that any dissemination, distribution or copying of this e-mail is
> prohibited. If you have received this e-mail in error, please notify the
> sender by replying to this message and delete this e-mail immediately.
>
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>


-- 
Thanks & Regards,
Nilesh Kumar,
Security Specialist | SDG Corporation
www.sdgc.com
www.nileshkumar83.blogspot.com
www.linkedin.com/in/nileshkumar83
Mobile- +91-9891524880
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090528/5f326dbd/attachment-0001.html 


More information about the Owasp-delhi mailing list