.

regardin XSS

<<

lovewadhwa

Newbie
Newbie

Posts: 16

Joined: Mon Jun 04, 2007 8:11 am

Post Thu Aug 09, 2007 11:53 pm

regardin XSS

What i do need to know is that how encoding specification in html coding helps preventing these attacks.Means i have been reading articles on the same and they say that specifying the character encoding helps prevent XSS since it helps in determining special characters.Now i am n;t getting this.Plz explain how does that happen and how charset encoding specification helps prevent XSS.
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Fri Aug 10, 2007 8:46 am

Re: regardin XSS

If you properly filter/sanitize your input and any gateways/variables, disallow code, etc. you will prevent XSS. Simple as that.
<<

somebot

Newbie
Newbie

Posts: 6

Joined: Fri Dec 28, 2007 10:34 am

Post Fri Dec 28, 2007 10:38 am

Re: regardin XSS

This page is being used as an example of XSS vulnerabilities over from sla.ckers.org.

http://www.ethicalhacker.net/component/ ... (%22xss%22)%3C/script%08%3E/script%3E,666/topic,1584.0/

This URL also discloses an SQL injection vulnerability on this very site.

Aha. "mos_menu"... Mambo/Jooma in use == vulnerable. Sad to see, really.
Last edited by somebot on Fri Dec 28, 2007 10:42 am, edited 1 time in total.
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Fri Dec 28, 2007 10:47 am

Re: regardin XSS

Thank you for pointing this out. I'm sure Don will be looking into the fix for this ASAP.
<<

somebot

Newbie
Newbie

Posts: 6

Joined: Fri Dec 28, 2007 10:34 am

Post Fri Dec 28, 2007 11:08 am

Re: regardin XSS

You're all welcome.

As a Linux System Admin for a managed hosting company, I see many of these vulnerabilities nightly (I'm a late-night shift worker). Sadly, many of these vulnerabilities exist with Mambo/Joomla sites. I usually recommend against using those packages, myself.
<<

LSOChris

Post Fri Dec 28, 2007 2:11 pm

Re: regardin XSS

and you recommend what instead?
<<

somebot

Newbie
Newbie

Posts: 6

Joined: Fri Dec 28, 2007 10:34 am

Post Fri Dec 28, 2007 5:43 pm

Re: regardin XSS

Drupal, if one must use a PHP CMS.
<<

LSOChris

Post Fri Dec 28, 2007 7:59 pm

Re: regardin XSS

i'm sleepy so its probably there, but i dont see the page were it talks about how and why drupal is so inherently better than the other CMS's out there.  or its just because it doesnt use all the mos_whatever modules?
<<

somebot

Newbie
Newbie

Posts: 6

Joined: Fri Dec 28, 2007 10:34 am

Post Fri Dec 28, 2007 9:28 pm

Re: regardin XSS

Chris,

You asked what I recommend, not what is "recommended". There isn't a page that I based that info off of -- it's from personal experience. I have yet to see a major drupal installation that has been routinely hacked, cracked and used to host child porn, IRC (eggbot anyone?), phishing scams, etc., or provide a way to test privilege escalation attacks after gaining shell access as the Apache system account user. As for Mambo/Joomla, I see these literally every night I am at work. Many times it is the same sites again and again.

A number of sysadmins I know from work or from other associations use Drupal. That's how I learned of it, myself.

Perhaps I should put up a page. But then it would be drowned out by pages with expertise like "Why chmod 777 is NOT a security risk". Ya know?
<<

LSOChris

Post Sat Dec 29, 2007 10:04 am

Re: regardin XSS

yup i am following on that.

do you think its because there arent as many people running drupal as opposed to joomla that is resulting in what you are seeing?  or something else?

if something is secure only because people arent targeting it (yet) that seems like you may be in either the 1) just wait the hacks will come category or 2) the user and development population is low and dont expect patches or new updates.

oh and since we are talking about CMSs, do any of them have a update management system that would tell you that moduleX or ModuleY are outdated and  should be upgraded?
<<

somebot

Newbie
Newbie

Posts: 6

Joined: Fri Dec 28, 2007 10:34 am

Post Sat Dec 29, 2007 4:54 pm

Re: regardin XSS

ChrisG wrote:yup i am following on that.

do you think its because there arent as many people running drupal as opposed to joomla that is resulting in what you are seeing?  or something else?

if something is secure only because people arent targeting it (yet) that seems like you may be in either the 1) just wait the hacks will come category or 2) the user and development population is low and dont expect patches or new updates.


Yeah, I don't buy the Microsoft-ish argument about "popularity==vulnerability". Anyway, Drupal may or may not be popular. Don't know.

oh and since we are talking about CMSs, do any of them have a update management system that would tell you that moduleX or ModuleY are outdated and  should be upgraded?


mos_* refer to major [platform-]components of Mambo/Joomla, I believe, and not [add-on] components. The best resource for finding the security vulnerabilities seems to be SecurityFocus and Milw0rm, and not those two packages. They seem more focused on promotion than information (last I looked).

For fun and profit:

http://www.milw0rm.com/search.php?dong=joomla&Submit=Submit

http://www.milw0rm.com/search.php?dong=mambo&Submit=Submit

http://www.milw0rm.com/search.php?dong=drupal&Submit=Submit
Last edited by somebot on Sat Dec 29, 2007 5:12 pm, edited 1 time in total.
<<

somebot

Newbie
Newbie

Posts: 6

Joined: Fri Dec 28, 2007 10:34 am

Post Fri Jan 04, 2008 9:59 am

XSS and SQL Injection exploit still not patched

The XSS and SQL injection exploit revealed in this thread for this forum is still not patched or mitigated. If I can be of assistance, let me know (privately).

Return to Other

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software