Full Disclosure mailing list archives
Xanga Cross Site Scripting Vunerability - GNAA Security Center
From: Nick Price <webmaster () q-cat com>
Date: Sat, 01 Jan 2005 16:51:19 -0600
Vendor: Xanga URL: http://www.xanga.com/ Versions: Current Remote: Yes Vendor notified: 04 Nov 2004 at 16:48 Vendor response: NONE Summary: ~~~~~~~ Xanga is a fully featured blogging system, it provides great control over look & feel of a users blog by allowing HTML with only basic checks. Xanga has well over 2.5 million users and millions of page views every hour. A security vulnerability in sitemessage.aspx allows malicious users to cause a legitimate-looking page to execute external code or display malicious content. Examples Code: ~~~~~~~~~~~~~~~~~~~~~~~~ http://www.xanga.com/sitemessage.aspx?user=%3Cimg%20src=%22http://www.gnaa.us/images/gnaa.png%22%3E Impact: ~~~~~ External code can be run from security domain of Xanga.com, possibility of posting malicious content such as fake login forms or malicious scripts. Vendor: ~~~~~ Vendor was informed months ago but we have recieved no reply. Credits: ~~~~~ The GNAA Security Team: http://www.gnaa.us/ -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.298 / Virus Database: 265.6.7 - Release Date: 12/30/2004 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Xanga Cross Site Scripting Vunerability - GNAA Security Center Nick Price (Jan 02)