Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
zone-h defacement - Nice usage of XSS
Posted by: blad3
Date: December 23, 2006 12:42AM

Quote from zone-h:

As you may have noticed, Zone-H got defaced in the night between Dec 21st and Dec 22nd. This was an elaborated attack that was possible (as most of the past Zone-H incidents), starting with the exploitation of the human factor. We are pleased to post this explanation as it is a very good example on how your security can be jeopardized by bugs, and ones (Hotmail) apparently not related to the system you are using.

http://www.zone-h.org/content/view/14458/31/

Options: ReplyQuote
Re: zone-h defacement - Nice usage of XSS
Posted by: jungsonn
Date: December 23, 2006 07:11AM

Quote

Our non fault was: using an open source CMS such Joomla. All CMSs contain bugs and even assuming you had enough time to code your own CMS (have you any idea how long it would take?) it would probably still be vulnerable.

That is exactly wrong, never use those pre-build software packages i say, Go Google about your favorite CMS plus the word exploit behind it and you will understand.

(have you any idea how long it would take?)
Yeah i know how long that takes, i build a custom secure CMS for you in around 3-4 days, 7 days max.

it would probably still be vulnerable.
Still be vulnerable? then they are doing something very wrong,
cause you can secure a CMS against XSS.

Options: ReplyQuote
Re: zone-h defacement - Nice usage of XSS
Posted by: Luny
Date: December 23, 2006 11:25AM

I agree with you there jung. Just take a look at phpnuke.

*shudders*.

Widely used and widely exploited.

---------------
Digital footprints suck. Learn to walk on your hands.
http://www.youfucktard.com

Options: ReplyQuote
Re: zone-h defacement - Nice usage of XSS
Posted by: jungsonn
Date: December 23, 2006 04:41PM

I found that many implement fancy templating functions, calendars, separet parsing modules, and other really odd stuff to make it "user friendly and easy to install". Actually there isn't a 1 size fits all formulae, that would be great but alas... Same with WordPress a while ago, real shame on the developers, It was a input hole where nothing was escaped or converted it went right into the DB, and affected anyone using that version of WordPress, a blog user of Wordpress though about checking the source when he found it. Scary stuff if you ask me.

Options: ReplyQuote


Sorry, only registered users may post in this forum.