Information Security & US & Life & Love & Fashion & Hacking & Passion

1. XSS
1. Severity : High
2. URI was set to 1<div style=width:expression(prompt(957586))>
   URL encoded GET input genre was set to " onmouseover=prompt(968437) bad="
   
   
   
2. Application Error Msg
1. Severity : Medium
2. URL encoded GET input key was set to '"'");|]*{%0d%0a<%00>
   Error message found:

   java.lang.NumberFormatException: For input string:

   
   
   
3. Error Msg on Page
1. Severity : Medium
2. Pattern found:

   java.lang.NumberFormatException: For input string:

   
   
   
4. Insecure crossdomain.xm
1. Severity : Medium
2. The browser security model normally prevents web content from one domain from accessing data from another domain. This is commonly known as the "same origin policy". URL policy files grant cross-domain permissions for reading data. They permit operations that are not permitted by default. The URL policy file is located, by default, in the root directory of the target server, with the name crossdomain.xml (for example, at www.example.com/crossdomain.xml).
   
   When a domain is specified in crossdomain.xml file, the site declares that it is willing to allow the operators of any servers in that domain to obtain any document on the server where the policy file resides. The crossdomain.xml file deployed on this website opens the server to all domains (use of a single asterisk "*" as a pure wildcard is supported) like so:

   <cross-domain-policy>
   <allow-access-from domain="*" />
   </cross-domain-policy>
   

   This practice is suitable for public servers, but should not be used for sites located behind a firewall because it could permit access to protected areas. It should not be used for sites that require authentication in the form of passwords or cookies. Sites that use the common practice of authentication based on cookies to access private or user-specific data should be especially careful when using cross-domain policy files.
   This vulnerability affects Server.

The Pentagon has banned, at least temporarily, the use of external computer flash drives because of a virus threat officials detected on Defense Department networks.

While defense officials would not publicly confirm the ban, messages were sent to department employees informing them of the new restrictions. As part of the ban, the Pentagon was collecting any of the small flash drives that were purchased or provided by the department to workers, according to one message distributed to employees.

Workers are being told there is no guarantee they will ever get the devices back and it is not clear how long the ban will last.

Pentagon spokesman Bryan Whitman would provide no details on the virus Friday, but he described it as a "global virus" that has been the subject of public alerts.

"This is not solely a department problem, this is not solely a government problem," Whitman said.

The Pentagon has acknowledged that its vast computer network is scanned or probed by outsiders millions of times each day. Last year a cyber attack forced the Defense Department to take up to 1,500 computers off line.

Officials said then that a penetration of the system was detected, but the attack had no adverse impact on department operations.

However, military leaders have consistently warned of potential threats from a variety of sources including other countries -- such as China -- along with other self-styled cyber-vigilantes and terrorists.

The issue has also been of concern at the Department of Homeland Security. A September audit by the DHS Inspector General recommended that the agency implement greater procedures to ensure that only authorized computer flash drives or other storage devices can be connected to the network there and that an inventory of those devices be set up.

DHS agreed with the recommendations and said some of that is already being done. DHS also said more software enhancements are in the works that will provide more protection.