Hakin9 Magazine - XSS Vulnerabilities

While Hakin9 does not appear to offer security consulting services, any company that sells security in any fashion, including a magazine dedicated to hacking and security, should try to maintain a secure online presence. While vulnerabilities happen to everyone in time, it is more important how you react to them. Quickly patching a vulnerability to minimize the window of exploitability is the right thing to do, for both customers and your reputation. In this case, Hakin9 has been found to be vulnerable to several common cross-site scripting (XSS) issues. These have not been tested by attrition.org, but have been submitted by several people who have a history of finding XSS vulnerabilities in web sites.

http://hakin9.org/category/notice-board/index.php?s=%3Cscript%3Epcent%3D%2F%25%2F.source%3Bstr%3D%2F20616c657274282774686973206973207265616c6c7920636f6f6c212729%2F.source%3Btemp%3Dstr.substring%280%2C0%29%3Bfor%28i%3D0%3Bi%3Cstr.leng th%3Bi%2B%3D2%29{temp%2B%3Dpcent%2Bstr.substring%28i%2Ci%2B2%29}%3Beval%28unescape%28temp%29%29%3C%2Fscript%3E

Another report came in that http://hakin9.org/wp-login.php has several XSS vulnerabilities (ym_field-16, ym_field-5, and ym_subscription parameters). This also suggests they are running WordPress, a notoriously insecure software package. Hakin9 has been notified of at several of these, as of October 5, 2012.

From: d3v1l [redacted]
Date: 2012/10/5
Subject: Re: xss bug on your website
To: Pawel Plocki (pawel.plocki@software.com.pl)


: 2012/10/5 Pawel Plocki (pawel.plocki@software.com.pl)


Yes - we are working on it. Thank you for your engagement with helping us
develope our service.


main page ATTRITION feedback