Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

XSS on Panasonic site

From: "Roberto Garcia Amoriz" <roberto.garcia () rogaramo com>
Date: Fri, 20 Jun 2014 15:04:02 +0200
                                                                - XSS on
Panasonic site-

****************************************************************************
***************************************
Advisory: security.panasonic.com – Cross-Site Script Vulnerability (XSS)
Advisory ID:  969061
Author: Roberto Garcia (@1gbDeInfo)
Affected Software: Successfully tested on  security.panasonic.com Vendor
URL: http://security.panasonic.com 
Vendor Status: reported 2 times but not solved
****************************************************************************
***************************************


**************************
Vulnerability Description
**************************

The website " security.panasonic.com " is prone to a XSS vulnerability.

This vulnerability involves the ability to inject arbitrary and unauthorized
javascript code. A malicious script inserted into a page in this manner can
hijack the user’s session, submit unauthorized transactions as the user,
steal confidential information, or simply deface the page.


**************************
PoC-Exploit
**************************

 
http://vftr.panasonic.co.jp/en/search.x?q=data%3Atext%2Fhtml%2C%3Cscript%3Ea
lert%280%29%3C%2Fscript%3E&x=0&y=0&ie=ISO-8859-1

 
http://vftr.panasonic.co.jp/en/search.x?q=data%3Atext%2Fhtml%2C%3Cscript%3Ea
lert%28document.cookie%29%3C%2Fscript%3E&x=0&y=0&ie=utf8


**************************
Solution
**************************

  Reported 2 times but not solved

**************************
Disclosure Timeline
**************************

- Report vuln Jun 4, 2014 via email to samuel.garcia () ext eu panasonic com

- Reported again via web Jun 12, 2014. They answer me:

        Dear Mr. Garcia, 
        Thank you for your prompt e-mail reply. 
        egarding your enquiry, I am writing to confirm having forwarded your
message to the corresponding department.
 
        Kind Regards, 
        Teo
        Customer Service Team 
        Panasonic UK

**************************
Afected sites:

  - vftr.panasonic.co.jp
  - security.panasonic.com
  - panasonic.ney

**************************


**************************
Credits
**************************

----------------------------------------------------------------------------
--------------
Vulnerability found and advisory written by Roberto Garcia (@1gbDeInfo)
----------------------------------------------------------------------------
--------------

Best regards.

Roberto Garcia Amoriz

Linkedin: es.linkedin.com/in/rogaramo/
Web:  http://www.1gbdeinformacion.com
Twitter: @1gbdeinfo




_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: