Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Google Urchin password theft madness

from [pagvac] Network Security [Permanent Link]
Subject: Google Urchin password theft madness
Date: Mon, 24 Sep 2007 19:20:17 +0100 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There is a trivially exploitable XSS vul on Google Urchin Web Analytics
5's login page. The vulnerability has been tested on versions 5.6.00r2,
v5.7.01, 5.7.02 and 5.7.03 (latest). Previous versions are most likely
to be affected as well.

I know that you're sick of XSS PoCs that only open alert boxes. So I
crafted a exploit URL that will steal the victim's username and password
by simply clicking on it:

http://www.gnucitizen.org/blog/google-urchin-password-theft-madness

PS: demo video included!

- --
pagvac
[http://gnucitizen.org, http://ikwt.com/]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)

iD8DBQFG9//fjXB4hX6OC/cRAnchAJ4k9U4i8ZW1Cf8CjbNuivYlCHqjCQCeIVyj
oZ2fz06792VVGEkfpPwjCMs=
=Uz1y
-----END PGP SIGNATURE-----
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Google Urchin password theft madness, pagvac <=
Previous by Date:  Re: New bypass shell for linux, none
Next by Date:  Re: Re: 0day: PDF pwns Windows, Lamont Granquist
Previous by Thread:  Arbitrary Command Inclusion, darkbunny91
Next by Thread:  rPSA-2007-0198-1 kernel, rPath Update Announcements
Indexes:  [Date] [Thread] [Top] [All Lists]