[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [hobbit] RE: Hobbit Security (Cross-Site Scripting)



I found a bunch of the same stuff (and more).  Looks like most of it is
duplicates on the same pages/attributes.

For Example, on hobbit-enadis.sh,  ippattern is not validated.  This shows
up for me as multiple issues, but it's one root cause.

What you have to decide is how much of a risk does this really pose.

Any of the pages that allow you to change anything should be password
protected and only trusted users should be able to access.  There is not a
SQL server behind the thing, so who cares about SQL injection.  They are not
going to delete your data.

Stewart





On Fri, Jun 19, 2009 at 11:18 AM, Stewart L <stewartl42 (at) gmail.com> wrote:

> It's usually a bit more complicated that just quoting the user input.   I'm
> actually scanning a fresh install with IBM Appscan Enterprise when you
> mentioned it... :)
>
>
>
> On Fri, Jun 19, 2009 at 11:09 AM, David Cecchino <
> david.cecchino (at) datacure.com> wrote:
>
>>  HP Webinspect scans of xymon show it is vulnerable to XSS , is there  a
>> way of putting quotes around the url variables/strings?
>>
>>
>>
>>
>>
>
>
>
>  --
> Stewart
> --
> An infinite number of mathematicians walk into a bar. The first one orders
> a beer. The second orders half a beer. The third, a quarter of a beer. The
> bartender says "You're all idiots", and pours two beers.
>



-- 
Stewart
--
An infinite number of mathematicians walk into a bar. The first one orders a
beer. The second orders half a beer. The third, a quarter of a beer. The
bartender says "You're all idiots", and pours two beers.