Full Disclosure mailing list archives
XSS Vector at www.titus.de
From: batchwork () arcor de
Date: Fri, 26 May 2006 04:54:26 +0200 (CEST)
TITUS is a large german mailorder for skateboards and extreme sports related stuff. On the TITUS Homepage you can find a damn huge community (about 20.000 registered user). Inside the community a registred member can send IMs to other users, send eMails via web interface and drop orders to the mailorder. At the community rush hour nearly 5000 users are online at the same time. Easy to figure out what will happen when an XSS worm hits the site. And thats the point. The webmailer system offers an offensive vector for XSS attacks. If you send a mail (no need to type an receiver adress) with the following content, you have successfully executed a custom (malicious) script on the page: - "><script type="text/javascript">alert(document.cookie);</script><a href=" - I've already sent a mail to the technical team at titus.de, but there wasn't an answer neither a fix. Greetings, Batchwork -- freemail adverts: Viel oder wenig? Schnell oder langsam? Unbegrenzt surfen + telefonieren ohne Zeit- und Volumenbegrenzung? DAS TOP ANGEBOT JETZT bei Arcor: günstig und schnell mit DSL - das All-Inclusive-Paket für clevere Doppel-Sparer, nur 44,85 inkl. DSL- und ISDN-Grundgebühr! http://www.arcor.de/rd/emf-dsl-2 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- XSS Vector at www.titus.de batchwork (May 25)