Monday 30 September 2013

[EN] XSS at Microsoft page

Hi,

durning bugbounty tests I decide to try at Microsoft's page.

After a while, I found one bug.
Of course there was a nice contact about the whole case, but
after asking about any response - no contact to this day. :)

So... public ;)





Similar story to one, described few minutes ago about linkedin.com.

* Update @ 11/10.2013 *
Finally I've got an answer about this case, and it should be presented at their page.
In case of any news I will publish here the details.


Enjoy and remember to do only legal things ;)

Cheers
o/

[EN] Another XSS at LinkedIn.com

Hi,

durning few tests in few different bugbounty programs,
at 19.09 this year I found another persistent XSS in our nice job portal
www.linkedin.com

Durning mails with IT support I think it is patched now, but
if you wanna try - here you have a short list of steps to reproduce:

1. Log-in to your account
2. Go to contact lists, to 'imported contacts'
3. Edit one contact
4. In a new windows, in edited person, surename is vulnerable
to persistent XSS.

Below screen from sample 'attack':




* Update @ 01.10.2013 * 
'Seems to patchet at production.' ;)


* Update @ 04.10.2013 * 

LinkedIn Team once again surprised me about their answer. :)
This is realy good Team!
Good job guys!

Enjoy and remember, do only legal things ;)

Cheers
o/

Wednesday 25 September 2013

[EN] IPBoard 3.x Updates

Yesterday I saw a new post at IPBoard Community Forum about few
new vulnerabilities and patches.

If you're using mentioned version(s) I would recommend you to update it as soon as you can.
"How to do it" was described at forums page.

Big thanks to guys from IPB Support for a fast response and great job!
Keep going! ;)