Massmail - XSS For The World
I just mailed most of the websites I found XSS vulnerabilities on. I will give them about a week to respond and then publish the list.
By the way, while collecting the mail addresses to inform them I tried to find out an email address of anyone responsible for something at aol.com, but their page is that well organized that I could not find any. Most of the time they wanted me to log in. But why should I register to an obviously vulnerable website. Thus they got left out.
Popularity: unranked [?]
on March 8th, 2007 at 9:57 am
The default security contact of a given website is: [email protected] This is even defined in one of the URL-RFCs. Whether AOL really checks this address is obviously a different story…
on March 8th, 2007 at 1:55 pm
Ah ok. I didn’t know that. Just added that one to my own mailserver, hehe.
I’ll write them a mail this evening.
M4z also told me that a week is a too short timeframe. So I decided to not include the ones, which reacted on my mail, but did not yet manage to fix the vulnerability, until they do. Well, unless it takes too long.
on March 9th, 2007 at 1:24 am
Well I tried to reach AOL through [email protected], but the mail could not be delivered “550 security IS NOT ACCEPTING ANY MAIL”. The response also did not lead to any other mail address.
But while reading the returned error message I stumbled across these lines:
Content-Type: text/plain; charset=ISO-8859-1Content-Transfer-Encoding: 7bit
Am I wrong or is it queer to Encode an 8bit charset with 7bit? Maybe it is all normal, but it looks strange to me.
The intermediary results are:
49 found
40 notified
8 answered
3 fixed
The 3 fixed are a little misleading, since only one was really fixed because of my mail. One has been fixed before notification and the other have changed their subdomain and parts of the site, namely AOL. But after a short look I have found another one, so they are still on my list.