Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
XSS in both major Australian parties
Posted by: bsoric
Date: August 10, 2007 01:26AM

http://www.liberal.org.au/
http://www.alp.org.au/

And just in time for the elections, too.



Edited 4 time(s). Last edit at 10/11/2007 04:35AM by bsoric.

Options: ReplyQuote
Re: XSS in both major Australian parties
Posted by: Cynic
Date: September 21, 2007 12:14AM

Awesome find!

Might be time to create some fake official bulletins and generate some hilarity.

Perhaps pointing out the fact that the sites probably cost taxpayers hundreds of thousands of dollars..

Options: ReplyQuote
Re: XSS in both major Australian parties
Posted by: bsoric
Date: September 30, 2007 11:57PM

I submitted a link to the Chaser's guestbook, but it got moderated out
:(



Edited 1 time(s). Last edit at 10/11/2007 04:35AM by bsoric.

Options: ReplyQuote
Re: XSS in both major Australian parties
Posted by: bsoric
Date: October 07, 2007 11:56PM

The liberals caught on and fixed their vulnerability.



Edited 1 time(s). Last edit at 10/11/2007 04:35AM by bsoric.

Options: ReplyQuote
Re: XSS in both major Australian parties
Posted by: digi7al64
Date: October 09, 2007 08:43PM

appears to be fixed after this mornings defacement. perhaps try the cold fusion referrer xss trick i discovered.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: XSS in both major Australian parties
Posted by: kuza55
Date: October 09, 2007 10:37PM

http://www.news.com.au/story/0,23599,22561539-5012863,00.html

Quote
http://www.news.com.au/story/0,23599,22561539-5012863,00.html
Do you know the hacker? Do you know of other examples? Email us at news@news.com.au with reports, tip-offs, and pictures or SMS / MMS 0429 300 245

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Options: ReplyQuote
Re: XSS in both major Australian parties
Posted by: digi7al64
Date: October 09, 2007 11:02PM

EDIT: another story
http://www.australianit.news.com.au/story/0,24897,22561869-15306,00.html

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 3 time(s). Last edit at 10/10/2007 05:45AM by digi7al64.

Options: ReplyQuote
Re: XSS in both major Australian parties
Posted by: bsoric
Date: October 10, 2007 12:12AM

Whoa. I came back to this thread after my other website told me someone had searched for "Sla.ckers xss bsoric".
I'm shocked that it was interesting enough for them to report it in the news.



Edited 1 time(s). Last edit at 10/11/2007 04:36AM by bsoric.

Options: ReplyQuote
Re: XSS in both major Australian parties
Posted by: Spyware
Date: October 10, 2007 02:21PM

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.alp.org.au/action/enews/index.php&task=fast_signup&email=%22%3E%3Cscript%3Ealert('Do%20not%20vote%20for%20us%20for%20we%20have%20major%20security%20issues')%3C/script%3E&x=21&y=14

:)

Edit: http://www.vic.liberal.org.au/default.cfm?action=people&type=%3Cimg%20src=asd%20onError=alert(/SpywareForPresident!/)%3E



Edited 1 time(s). Last edit at 10/10/2007 02:36PM by Spyware.

Options: ReplyQuote
Re: XSS in both major Australian parties
Posted by: digi7al64
Date: October 11, 2007 02:51AM

http://www.zdnet.com.au/news/software/soa/Howard-hacker-off-the-hook-AFP/0,130061733,339282738,00.htm?feed=rss

Quote

AFP agent Nigel Phair -- who earlier this week said Australian organisations tend to "sweep security breaches under the carpet" -- defined hacking as "gaining unauthorised access to a computer or computer network".

\0/

basically this means [and my interpretation is] reflective xss does not consitute hacking in Australia

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: XSS in both major Australian parties
Posted by: kuza55
Date: October 11, 2007 03:26AM

@digi7al64:

I had a read of the cybercrime act a while back, and iirc, it also includes unauthorised access to data, so while I think testing for it may not be illegal, utilising one to steal info, or perform actions (that can probably be construed as unauthorised access) most probably is.

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Options: ReplyQuote


Sorry, only registered users may post in this forum.