Permanent XSS and user enumeration on campus-party.eu

[klondike <klondike () klondike es>]

It's possible to do a permanent XSS injection on the campus-party.eu
website.

For this when you register in the website through
https://www.campus-party.eu/webapp/participante/personalData?to= you
need to put your code in the name field taking into account that it will
be converted into caps when reflected. Once done the code can be found
at https://www.campus-party.eu/webapp/participante/loginBox and at
https://www.campus-party.eu as long as the user is logged in.

This vulnerability could be used for example with fishing attacks to
steal user data amongst other things by making the user login with the
given data and then asking him to enter an appropriate address.

To make things more interesting, the
https://www.campus-party.eu/webapp/participante/personalData?to= and the
https://www.campus-party.eu/webapp/participante/solicitudRestaurarPasswordForm
can be used by spammers to check whether a particular e-mail is
registered or not on the website since they will report back that
information.

The first one can be used without side effects by entering a single
character password resulting either in an error regarding password
length or in a notice that the e-mail was already registered.

The second one can be used just by entering the e-mail and checking the
resulting message, but will have as a side effect that an e-mail will be
sent back to the registered users asking them to reset their password.

I hope this information is useful,
klondike

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/