http://www.security-net.biz/wsw/index.php?p=233&n=195 RSS feed - Site Exposed sr 15 http://www.security-net.biz/wsw/index.php?p=233&n=195&bl=234 http://www.security-net.biz/wsw/index.php?p=233&n=195&bl=234 <span style="font-weight: bold;">- Tip sajta:</span> Telekomunikacioni portal<br /><span style="font-weight: bold;">- Tip propusta:</span> XSS<br /><span style="font-weight: bold;">- Detalji:</span> Polje za pretragu nije pravilno zasticeno i omogucava XSS.<br /><span style="font-weight: bold;">- Savet:</span> Pretvorite specijalne karaktere u odgovarajuce html entitete.<br /><span style="font-weight: bold;">- Pronasao:</span> Aleksandar Nikolic Thu, 14 Aug 2008 12:25:49 +0100 http://www.security-net.biz/wsw/index.php?p=233&n=195&bl=232 http://www.security-net.biz/wsw/index.php?p=233&n=195&bl=232 - <span style="font-weight: bold;">Tip sajta:</span> Biro<br />- <span style="font-weight: bold;">Tip propusta:</span> SQL injection<br />- <span style="font-weight: bold;">Detalji:</span> Parametri za pretragu nisu pravilno sankcionisani pre koriscenja u samom upitu na bazu.<br />- <span style="font-weight: bold;">Savet:</span> <a href="http://www.php.net/mysql_real_escape_string" target="_blank">mysql_real_escape_string</a><br />- <span style="font-weight: bold;">Pronasao:</span> <a target="_blank" href="http://security-net.biz">Ivan Markovic</a> Thu, 31 Jul 2008 12:53:55 +0100 http://www.security-net.biz/wsw/index.php?p=233&n=195&bl=231 http://www.security-net.biz/wsw/index.php?p=233&n=195&bl=231 - <span style="font-weight: bold;">Tip sajta:</span> Drustvena mreza<br /> - <span style="font-weight: bold;">Tip propusta:</span> Privilege Bypass<br /> - <span style="font-weight: bold;">Detalji:</span> Ne postoji logika za proveru permisija i vlasnistva nad zapisima u sistemu.<br /> - <span style="font-weight: bold;">Savet:</span> Obavezno je implementirati sistem permisija u ovakvim sistemima. Greska je pokusati nadoknaditi ovaj zahtev metodom '<a href="http://en.wikipedia.org/wiki/Security_through_obscurity" target="_blank">security through obscurity</a>'.<br /> - <span style="font-weight: bold;">Pronasao:</span> <a target="_blank" href="http://security-net.biz">Ivan Markovic</a> Wed, 23 Jul 2008 02:48:50 +0100 http://www.security-net.biz/wsw/index.php?p=233&n=195&bl=229 http://www.security-net.biz/wsw/index.php?p=233&n=195&bl=229 <span style="font-weight: bold;">- Tip sajta:</span> Mali oglasi<br /><span style="font-weight: bold;">- Tip propusta:</span> XSS<br /><span style="font-weight: bold;">- Detalji:</span> Polje za pretragu nije pravilno zasticeno i omogucava XSS.<br /><span style="font-weight: bold;">- Savet:</span> Pretvorite specijalne karaktere u odgovarajuce html entitete.<br /><span style="font-weight: bold;">- Pronasao:</span> Aleksandar Nikolic Tue, 22 Jul 2008 01:20:51 +0100 http://www.security-net.biz/wsw/index.php?p=233&n=195&bl=228 http://www.security-net.biz/wsw/index.php?p=233&n=195&bl=228 - <span style="font-weight: bold;">Tip sajta:</span> Berza, vise sajtova svetskih berzi&nbsp; <br />- <span style="font-weight: bold;">Tip propusta:</span> XSS<br />- <span style="font-weight: bold;">Detalji:</span> Vise parametara za pretragu i sortiranje podataka nije pravilno zasticeno i omoguceno je direktno ispisivanje u html kod stranice. Ovaj pristup omogucava takozvani <span style="font-style: italic;">Cross-site scripting</span>.<br />- <span style="font-weight: bold;">Savet:</span> Pretvorite specijalne html karaktere u svoje html entitete.<br />- <span style="font-weight: bold;">Pronasao</span>: <a href="http://netsec.rs/" target="_blank">Dejan Levaja</a> Mon, 21 Jul 2008 11:44:18 +0100