[WEB SECURITY] The hole which can save the world

MustLive mustlive at websecurity.com.ua
Sat Jan 17 15:07:58 EST 2009


Hello!

I want to tell you about the hole which can save the world. Do you love
science fiction? And what about hi-tech fiction? I love both of them :-).
Hi-tech fiction - as I called this genre - is a type of fiction, where the
story is about hi-tech and IT and has some amount of fiction. So I tell you
small story which belongs to hi-tech fiction genre. The story is based on
true story.

And first about one fact on which the story is based on.

It's a XSS vulnerability which I found yesterday (and disclosed already). A
XSS on the page with the highest PR.

In 2007 year during my project Month of Search Engines Bugs I wrote about
XSS hole at www.hotbot.com (http://websecurity.com.ua/1002/) with PR8. It
was a dream for SEO guys (and I made this dream came true). This was my
previous record ;-).

And yesterday I presented new XSS hole at the highest PR page (and made my
new record) - Cross-Site Scripting at sourceforge.net
(http://websecurity.com.ua/2800/) with PR9. So new dream came true.

Take a look at it ASAP, because soon I'll inform admins of sourceforge.net
about the vulnerability.

http://sourceforge.net/account/login.php?ssl_status=%22%3E%3Ca%20href=http://www.webappsec.org/lists/websecurity/%3EWeb%20Security%20Mailing%20List%3C/a%3E

Let's help WASC to improve PR of their Mailing List page (Robert, current
PR5 of this page can be improved ;-)).

And now the story. About the hole which can save the world.

As I said it's hi-tech fiction story, but all estimates can be real, I just
overstated with "saving the world". Not the whole world, but many people can
help themselves with this hole in time of financial and economical crisis. 
It's how I'm trying to help the world to fight with crisis in some way.

The XSS hole at sourceforge.net (which I mentioned above) can be used for
html injection. Particularly for placing links (as I showed above). And its
PR9 can make a lot of people happy. Even more, in our time when there are
many financial problems over the world due financial and economical crisis,
this hole can bring additional earnings for many people. Which is very
important for current time, when a lot of people are dismissing and
unemployment is growing up.

Do you know or not, that with high PR pages you can earn cash. The more PR
the better. And PR9 is very high value and so it can bring additional
earnings (directly or indirectly). Just imagine the world without crisis,
the world of peace and happiness. To make it happened we need only two
things: 1. Google must support links by XSS (not like it ignores them now),
all or just at sourceforge.net. 2. Admins of sourceforge.net must not fix
the hole (at least until crisis will gone). In such way one small XSS hole
can save the world.

As you can see, vulnerabilities can be used not only to attack web sites,
but also to help people ;-). All depends on a human.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list