Compsci.ca Vulnerability

[QuantumPhysics]

I was just randomly looking around the forum again, and I found a spot here that has a possible Cross site scripting vulnerability, and Local File Intrusion (CSS & LFI). I am going to keep looking into it, but if I see that it can be used as an exploit, I will update this thread. I have found that querying the subtext headers on the double null of '//./ and /;//' actually gets the server to respond back to me. Possibly a blind SQL injection can be found here, I don't know. But I will keep looking into it, if anything comes up with it. I will update this thread.

[Tony]

The responsible thing would be to notify Dan and myself, before posting vulnerabilities publicly.

http://en.wikipedia.org/wiki/Responsible_disclosure

Edit: btw, Cross Site Scripting's acronym is XSS; not to be confused with CSS -- Cascading Style Sheets

[Dan]

Well I am grateful to any one that finds an exploit in the site and reports it responsibly, I would have to ask that you (QuantumPhysics) and any one just starting to learn this subject stop penetration testing the site until you have better education in the topic. Sending us false or misleading vulnerability reports wastes our time and probing the wrong parts of the site could get you automatically banned and/or added to a global black list. Also running software that scans a large number of pages on the site needlessly uses up our bandwidth and in some extreme cases could slow the site down for other users.

I will also add that I have warned you several times QuantumPhysics about making up things relating to security topics and your post here sounds very much like the others, random words that can be found googleing about exploits throw together to make a paragraph. I will give you the benefit of the doubt this time as the logs for the site at least show you tried to exploit the site, tho I see no evidence of it being successful. If I am incorrect please e-mail or PM me the details.