Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Xanga Cross Site Scripting Vunerability - GNAA Security Center

From: Nick Price <webmaster () q-cat com>
Date: Sat, 01 Jan 2005 16:51:19 -0600
Vendor: Xanga
URL: http://www.xanga.com/
Versions: Current
Remote: Yes
Vendor notified: 04 Nov 2004 at 16:48
Vendor response: NONE

Summary:
~~~~~~~
Xanga is a fully featured blogging system, it
provides great control over look & feel of a users
blog by allowing HTML with only basic checks.
Xanga has well over 2.5 million users and millions
of page views every hour.
A security vulnerability in sitemessage.aspx
allows malicious users to cause a legitimate-looking page to execute external code or display malicious content.


Examples Code:
~~~~~~~~~~~~~~~~~~~~~~~~
http://www.xanga.com/sitemessage.aspx?user=%3Cimg%20src=%22http://www.gnaa.us/images/gnaa.png%22%3E

Impact:
~~~~~
External code can be run from security domain of Xanga.com, possibility of posting malicious content such as fake login 
forms or malicious scripts.

Vendor:
~~~~~
Vendor was informed months ago but we have recieved no reply.

Credits:
~~~~~
The GNAA Security Team: http://www.gnaa.us/



--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.298 / Virus Database: 265.6.7 - Release Date: 12/30/2004

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: