tvlooy
commented
5 years ago We have this set up correctly. This report is invalid.
Closed 0x0asif closed 5 years ago
tvlooy
commented
5 years ago We have this set up correctly. This report is invalid.
0x0asif
commented
5 years ago writeup about same site scripting.. Maybe it will help you to fix this issue.. Thanks https://security.stackexchange.com/questions/71843/what-is-same-site-scripting-and-what-are-some-exploit-scenarios/71850
On Wed, Oct 30, 2019 at 3:59 PM Tom Van Looy notifications@github.com wrote:
We have this set up correctly. This report is invalid.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Intracto/SecretSanta/issues/467?email_source=notifications&email_token=AGFNEO5VLNSWBAWDZ6SEU5DQRFLH7A5CNFSM4JGVNMA2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECTSAXA#issuecomment-547823708, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGFNEO3W7JJHQEIFY2OVOFTQRFLH7ANCNFSM4JGVNMAQ .
tvlooy
commented
5 years ago you reported a "same site scripting" issue but can't provide proof for this because we don't have logins or sessions to exploit. You see a misconfigured localhost entry, this does not automatically mean "same site scripting" is possible
0x0asif
commented
5 years ago same site scripting on your secretsantaorganizer.com domain is fixed.. let me know my report eligible for reward??
tvlooy
commented
5 years ago have you read my responses?
0x0asif
commented
5 years ago rightnow not possible to reproduce this issue.. Because it fixed..
On Thu, Oct 31, 2019 at 3:36 AM Tom Van Looy notifications@github.com wrote:
have you read my responses?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Intracto/SecretSanta/issues/467?email_source=notifications&email_token=AGFNEOZHCMKBZDPIPG6337TQRH45DA5CNFSM4JGVNMA2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECV3DWQ#issuecomment-548123098, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGFNEO5GR3CVKDFWL3IMOLLQRH45DANCNFSM4JGVNMAQ .
tvlooy
commented
5 years ago you can configure the localhost record on your local machine for the exploit. If you can provide a PoC you will be eligible for a bounty. Please read the bounty rules on https://www.secretsantaorganizer.com/bugbounty where we also ask not to use the Github issue tracker for security issues, not publicly disclose issues and report by using the contact form
tvlooy
commented
5 years ago @asiffarabi0000 please use https://www.secretsantaorganizer.com/contact to get in touch
Hi Team. I'm Md. Asif Hossain From Bangladesh.
i Got issue called "Same- Site" Scripting"
Your localhost.secretsantaorganizer.com has address 127.0.0.1 and this may lead to "Same- Site Scripting".
reproduce : open cmd and type localhost.secretsantaorganizer.com it will show localhost ip 127.0.0.1
Here is detailed description of this minor security issue (by Tavis Ormandy): http://www.securityfocus.com/archive/1/486606/30/0/threaded
Recommendations: remove localhost entry from dns server.
Thanks.
Md. Asif Hossain