THP Wisec USH DigitalBullets TheHackersPlace network
The WIse SECurity
.italian
.english
Wisec Home SecSearch Projects Papers Security Thoughts
 
News
Flash Application Testing: A New Vector for XSS and Cross Site Flashing.
IE and Firefox Digest Authentication Request Splitting.
Php import_req_var globals overwrite Advisory.
Subverting Ajax - The Paper.
Adobe Plugin Multiple Vulnerabilities.
Wisec@23rd.CCC Congress in Berlin - 29th Dec. 2006 - Subverting Ajax.
SecSearch. Search Engine for Security Community.
Mysql COM_TABLE_DUMP Flaws.
Mysql Anonymous login Flaw.
A new project to stop embed passwords in Php scripts: PassBroker.
MySQL new three vulnerabilities unleashed
PHP shmop safemode bypass
PHP RFC1867 Vuln - POC Released!
Search on Wisec
Google

Security Thoughts

[ Back ]

Saturday, April 30, 2011, 07:50

God Save The (Omniture) Quine

Some weeks ago, while testing a website hosted by a client of ours
with DOMinator, I found that an Omniture Catalyst plugin called
crossVisitParticipation used an eval on a cookie value.
It was a typical 'eval(cookieValue)' which is bad from a security
perspective, but there is something more interesting which made me think
to write a post about it, since the attack vector was kind of advanced
and the model here is different from "traditional" meshups.
In fact in the Omniture case, companies have to save an auto generated
JS and host it on their own websites.
This means updates are directly tied to a local site administration
policy, and no real time update is possible.

Continue reading on Minded Security Blog..

Comments:

No comments yet.

 
Comments are disabled

Admin login | This weblog is from www.mylittlehomepage.net

Wisec is brought to you by...

Wisec is written and mantained by Stefano Di Paola.

Wisec uses open standards, including XHTML, CSS2, and XML-RPC.

All Rights Reserved 2004
All hosted messages and metadata are owned by their respective authors.