XSS in major Nepali websites (discovered by www.nepsecure.tk)

XSS or C-ross S-ite S-cripting is a means of successfully injecting HTML/javascript etc and is mostly client side i.e. browser

Nepali websites have time and time again found to be ignorant about security. Closeupzone.com (website of Closeup tooth paste / event management) and m2win.com (website of Mayos Instant Noodles) have been the latest victims of the talented group of Nepali hackers www.nepsecure.tk.

The proof of concept demonstrates the Xss vulnerabilities in these sites. closeupzone.com does seem to try to filter HTML tags but it is possible to bypass the filter so this is a particularly interesting one. I personally can't comment about the ethics of these Nepali security gurus but it would be a applaudible act to point it out to the concerned authorities.

Proof of concept exploits ---->

m2win.com Xss : http://the-cabal.com/z0mbi3/forum/viewtopic.php?t=108

closeupzone.com Xss :
http://the-cabal.com/z0mbi3/forum/viewtopic.php?t=97

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Nepsecure not so secure...

Interesting Findings... but why is nepsecure not com.np?... and hiding behind cabal??? Also noted that nepsecure is still at 2.0.8 while the latest stable release of phpbb is 2.0.10 . A number of security related issues and some bugs have been fixed since then.

Even though i only know nepse

Even though i only know nepsecure memebers online...as far as i have gathered..the forum is being hosted by someone from the UK because they simply can't afford hosting.

MOS controls .com.np registration..not in a million years would they give a domain name for a site like nepsecure.

Open offer...

IMHO, as far as domain registration is considered, it does not make a difference where it is registered... but mainly depends on where the domain is being hosted. What happens if "Tokelau" decides to begin charging everyone?? Would nepsecure still be with them.

The group should start seriously thinking of securing their name if they want to be taken seriously in the business world. .tk web re-direction just does not get it!!

I think the folks are doing a great job making aware about security issues in Nepal, however... I do think that they need to secure their website first before ploughing on others.

With all said, I am definitely interested in supporting their cause and would be glad to offer up sponsorship for their domain.

thx

thankx for ur offer..we are planning to change server soon and will let u know if we happen to need sponsorship. We are running with limited resources and not many people appreciate our work so it's good to see IT conscious ppl like u, Sandeep bro take notice.Ur also welcome to discuss security related issues with us in the forum.
thanks to Himanshu bro for spying on us ;)

Current site is hosted by a frend's frend so i guess u can understand the situation ..Still i am happy with the progress made in the 4 months since we started the forum online.

A proper site for nepsecure is in the pipeline....

Btw linuxweblog is a kick ass site for anyone's linux appetite. Keep up the good work and am also looking forward for original content from Nepali guys.

Linux and Security...

Contra, good to see you here... and hear about the future of nepsecure, and the invite to the forum. Unfortunately, my interest does not lie so much with computer security as does my fascination with linux, although I do keep a look out for any and update myself with major sites such as warnings published by CERT.

Keep up the good work and feel free to use the content here if it seems of any interest!!

...

Nepsecure.tk is just a temp. gathering place so that we all can stay in touch for the time being. Anyways...... (O;

Mailing list?

Do you guys have a mailing list?

no

we thought of... but most of the time we function through messanger and irc so........ sandip, i've seen u around for a long time! WHAT DO U DO? a admin. somewhere..... or ???

Comment