XSS sample using Zone Alarm link

Discussion in 'other security issues & news' started by elio, May 10, 2007.

Thread Status:
Not open for further replies.
  1. flinchlock
    Offline

    flinchlock Registered Member

    As "normal ZA user", I am pretty freakout about XSS! :eek: :mad: :'( :ouch: o_O :thumbd:

    I am following the advice per http://www.wilderssecurity.com/showpost.php?p=1002678&postcount=38
    I am following the advice per http://www.wilderssecurity.com/showpost.php?p=1002745&postcount=41
    I am following the advice per http://www.wilderssecurity.com/showpost.php?p=1010441&postcount=49
    NO "automatic completion enabled", "user already logged in" or "persistent authentication cookie (AKA Remember me)"

    I have a request, every once in a while, can you guys please post a "Recap"?

    (My current setup is in my signature.)

    Mike
  2. fax
    Offline

    fax Registered Member

    Re: [Split Topic] XSS sample using ZA link

    Uuuhm, looks like the log-in system has changed and your exploit does not work anymore... ;)

    Or I am missing something?

    Cheers,
    Fax
  3. elio
    Offline

    elio Registered Member

    Re: [Split Topic] XSS sample using ZA link

    They fixed it when this topic has been linked by NoScript's author in a slashdot post, and this PoC had been here for more than one month ;)

    BTW, the same kind of vulnerability is still available on their site (in another, even more visible page) and can be exploited exactly in the same manner.
    But I won't post any link, as promised to forum admins... :rolleyes:
  4. fax
    Offline

    fax Registered Member

    Re: [Split Topic] XSS sample using ZA link

    As usual you should inform them and send the vulnerable link...

    Cheers,
    Fax
Thread Status:
Not open for further replies.