Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 21 Feb 2016 01:14:14 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Multiple XSS vulnerabilities in Refinery CMS

On Fri, Feb 19, 2016 at 09:07:30PM +0530, Shravan Kumar wrote:
> I would like to publically disclose  Multiple XSS Vulnerabilities Found in
> Refinery CMS.

As a moderator, I have to note that we have two inappropriate postings
here - a link to an external PDF (in fact, the same one in two messages)
and no detail in message body.  I also have to admit that, although this
kind of postings were frowned upon in the past, the "List Content
Guidelines" did not explicitly discourage them.  This is now corrected:

http://oss-security.openwall.org/wiki/mailing-lists/oss-security#list-content-guidelines

"At least the most essential part of your message (e.g., vulnerability
detail or a PoC exploit) should in fact be in the message itself (and in
plain text), rather than only included by reference to an external
resource.  Posting links to relevant external resources as well is
acceptable, but posting only links is not."

Going forward, PDF-only postings like this may be rejected.

And, doing Shravan's homework this one time, I've attached a plain text
export of the content from the PDF file.  Unfortunately, this does not
capture some of the detail and isn't formatted well (it might even be
partially incorrect, showing some deleted text or such).  Sorry about
that - not my job.  Shravan, on future occasions, please prepare a
proper plain text description of whatever you post in here.

Alexander

View attachment "Penetration-testing-report--open-source-Ruby-on-rails-Refinery-CMS.txt" of type "text/plain" (7363 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.