Though I'm sure most site admins can figure this out, it is amazing how easy it is to find XSS bugs in closed-source software using nothing but Google and old-fashioned brute stupidity. Read the rest of this entry »
Jul
25
I just want to add this preface because people have been bugging me. I am not, nor do I claim to be the best at what I do, the oldest person to do it, the most dedicated, or the most intelligent. I make these observations as is, and you can take from them what you will. I can't claim to be a part of the true underground. I can't even say I would know where to look for the true underground. However, I think any person who belongs to such a secret lair of this culture could agree that most of the people who claim to be a part of it are a disgrace to its name and values. So, here we go. Read the rest of this entry »
Jul
25
If you use Litespeed HTTP server, you may not be aware of an XSS bug that exists in the core files, namely the file listing file located in /_autoindex/default.php. An example attack would be
_autoindex/default.php/<script>alert(1)</script>
To patch this, just add this on line 346:
$uri = htmlentities($uri);
Bam.
