Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
iso.org vulnerabilities
Posted by: Ams
Date: December 04, 2009 05:12AM

I have found vulnerabilities on iso.org and sent two notification letters. First was sent through web-contact form for technical purposes - no reply, no fixed code. After 5 days second e-mail was sent to manager, but also no reply and no actions taken. I was waiting for reply for one week. So, holes are still up and there. Looks like they are too busy to take care about security of such site.
Anyway, here they are:
XSS: http://www.iso.org/iso/pressrelease.htm?archive=string%3Cscript%3Ealert%28/not%20good/%29%3C/script%3E
And information disclosure: https://store.iso.org/isoweb/app?page=%27basket%2FBasketMain&service=page&guilang=en
There might be more bugs, but I don't have reasons to continue digging.

Options: ReplyQuote
Re: iso.org vulnerabilities
Posted by: PaPPy
Date: December 04, 2009 08:46AM

congrats on the xss, its been out for over a year http://www.xssed.com/mirror/44949/


Options: ReplyQuote
Re: iso.org vulnerabilities
Posted by: Ams
Date: December 04, 2009 10:33AM

I am not top visitor of xssed.com :)
If bug is out for a year this only proves that they are even not grepping their logs. What to say, sadly.


Options: ReplyQuote

Sorry, only registered users may post in this forum.