[Owasp-delhi] Rediff Vulnerability

Abhay Bhargav ab at sisa.co.in
Thu May 28 09:30:43 EDT 2009


As discussed previously, it is quite evident that several of their  
sites are susceptible to Cross Site Scripting and other issues. I have  
written to them twice already. But their response has not yet arrived.

Regards
Abhay





On May 28, 2009, at 2:11 PM, nileshkumar83 at gmail.com wrote:

> Nitin / Sri
>
>    My report sent them already contains few pages mainly on 'ishare'  
> which are susceptible to blind SQL injection. Which can be used to  
> retrieve critical information from site using true/false conditions.  
> However I am not sure those sort URLs still exist or not on the site.
>
> On Thu, May 28, 2009 at 1:54 PM, Nitin Saxena  
> <nitins at cybermedia.co.in> wrote:
> Sure, at present i had escalated this to some of their senior  
> management. If required we will collate our efforts as Delhi  
> OWASPians to get this corrected.
>
> If there are any more such escalations to be made in this or other  
> context's do let me know, will make it a representation to  
> designated authorities.
>
>
> Regards
> Nitin Saxena
> ----- Original Message -----
> From: Lakshmanan, Sriram
> To: Nitin Saxena ; Nilesh Kumar (India) ; abhay.bhargav at sisa.co.in
> Cc: owasp-delhi at lists.owasp.org
> Sent: Thursday, May 28, 2009 1:50 PM
> Subject: RE: [Owasp-delhi] Rediff Vulnerability
>
> You are right Nitin.
> Rediff, I'm told,  is actually perfoming an assessment of things  
> they need to fix on all their web presence and also fixing them as  
> they go along. If any of you have a report on other issues on that  
> site, pass it along & I can forward it to someone who is  
> corrdinating these XSS's to be fixed. Nitin, Abyaha and Nilesh are  
> already marked on my previous communication to that person.
>
> Cheers/Sri
>
> From: owasp-delhi-bounces at lists.owasp.org [mailto:owasp-delhi-bounces at lists.owasp.org 
> ] On Behalf Of Nitin Saxena
> Sent: Thursday, May 28, 2009 12:47 PM
> To: Nilesh Kumar (India); abhay.bhargav at sisa.co.in
>
> Cc: owasp-delhi at lists.owasp.org
> Subject: Re: [Owasp-delhi] Rediff Vulnerability
>
> They may have started rectifying the vulnerabilities at moment,  
> let's wait for a few days more and see if it is corrected.
>
> Regards
> Nitin Saxena
> ----- Original Message -----
> From: Nilesh Kumar (India)
> To: nitins at cybermedia.co.in ; abhay.bhargav at sisa.co.in
> Cc: owasp-delhi at lists.owasp.org
> Sent: Thursday, May 28, 2009 12:34 PM
> Subject: FW: [Owasp-delhi] Rediff Vulnerability
>
>          Sorry, still not fixed completely. Even on main page itself  
> it is restricting scripts in simple form …but not encoded ones. ;)
>
>  Apart from this every second search module is suffering like  
> Product search, Shopping, Matcmaker, Astrology, Jobs endless.
>
>  Wherever is search module..high chance of vulnerability.
>
>
> Abhay, main page search engine might be executing only encoded ones,  
> but search modules on other pages still happily executing normal  
> scripts. J
>
>
> Just an eyewash J from Rediff.
>
>
> Thanks,
>
> Nilesh Kumar CEH ISMS LA
>
> Security Specialist
>
> Governance,Risk &  Compliance (GRC)
> ________________________________________________________________________
>
> Cell:+91-9891524880
>
>
> SDG Software India Pvt. Ltd.
> A-10, Sector 2,NOIDA 201301, (UP), INDIA
> Website: www.sdgc.com
>
> Please Note: The e-mail content is intended for the sole use of the  
> intended recipient/s and may contain material that is CONFIDENTIAL  
> AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or  
> copying or distribution or forwarding of any or all of the contents  
> in this message is STRICTLY PROHIBITED. If you have erroneously  
> received this message, please delete it immediately and notify the  
> sender. Before opening any attachments please check them for viruses  
> and defects.
>
>
> From: Nilesh Kumar (India) To: 'Nitin Saxena'; 'abhay.bhargav at sisa.co.in 
> '
>
> Cc: owasp-delhi at lists.owasp.org
> Subject: RE: [Owasp-delhi] Rediff Vulnerability
>
>
> That’s great!
> Sent: Thursday, May 28, 2009 11:00 AM
>
>
> Thanks a lot Nitin for your initiatives!
>
> It only led to getting mail from one Rediff Authority to me that  
> issue will be solved soon, referring my report sent to them couple  
> of months back. Now fixed.
>
>
> Abhay, good job done!
>
>
> Thanks,
>
> Nilesh Kumar CEH ISMS LA
>
> Security Specialist
>
> Governance,Risk &  Compliance (GRC)
>
> http://nileshkumar83.blogspot.com
> ________________________________________________________________________
>
> Cell:+91-9891524880
>
>
> SDG Software India Pvt. Ltd.
> A-10, Sector 2,NOIDA 201301, (UP), INDIA
> Website: www.sdgc.com
>
> Please Note: The e-mail content is intended for the sole use of the  
> intended recipient/s and may contain material that is CONFIDENTIAL  
> AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or  
> copying or distribution or forwarding of any or all of the contents  
> in this message is STRICTLY PROHIBITED. If you have erroneously  
> received this message, please delete it immediately and notify the  
> sender. Before opening any attachments please check them for viruses  
> and defects.
>
>
> From: owasp-delhi-bounces at lists.owasp.org [mailto:owasp-delhi-bounces at lists.owasp.org 
> ] On Behalf Of SISA Abhay Bhargav
> Sent: Wednesday, May 27, 2009 7:58 PM
> To: owasp-delhi at lists.owasp.org
> Subject: [Owasp-delhi] Rediff Vulnerability
>
>
> Hi All
>
>
> I am pleased to see that the Rediff Search XSS issue has been fixed.  
> Although I reported the issue to Rediff, I would like to thank some  
> members of OWASP Delhi for having taken the matter to a higher plane  
> and reporting it to someone who has been proactive.
>
>
> Unfortunately, several other Rediff sites are as vulnerable to XSS  
> as ever. I will probably go ahead and report this issue as well.  
> Hopefully it gets sorted out as quickly as the previous one.
>
>
> Check it out: http://citadelnotes.blogspot.com
>
>
> Regards
>
> Abhay Bhargav
>
> CISSP, CPA, CISA, PCI QSA, OCTAVE Implementer
>
>
>
> SISA Information Security (P) Ltd| Ph 91 80 41153769| Fx 91 80  
> 41153796
>
>
>
>
>
> This e-mail, including attachments, may include confidential and/or
> proprietary information, and may be used only by the person or entity
> to which it is addressed. If the reader of this e-mail is not the  
> intended
> recipient or his or her authorized agent, the reader is hereby  
> notified
> that any dissemination, distribution or copying of this e-mail is
> prohibited. If you have received this e-mail in error, please notify  
> the
> sender by replying to this message and delete this e-mail immediately.
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>
>
>
> -- 
> Thanks & Regards,
> Nilesh Kumar,
> Security Specialist | SDG Corporation
> www.sdgc.com
> www.nileshkumar83.blogspot.com
> www.linkedin.com/in/nileshkumar83
> Mobile- +91-9891524880
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090528/6f464590/attachment.html 


More information about the Owasp-delhi mailing list