Vulnwatch mailing list archives
Syhunt: Flixster Cross-Site Scripting Vulnerabilities
From: Alec Storm <alec () syhunt com>
Date: Tue, 24 Apr 2007 13:58:36 -0300
Syhunt: Flixster Cross-Site Scripting Vulnerabilities Advisory-ID: 200731031 Discovery Date: 3.31.2007 Release Date: 4.24.2007 Affected Applications: Flixter service Class: Cross-Site Scripting (Cookie-Theft), HTML Injection Status: Patched by Flixster Vendor: Flixster, Inc Vendor URL: http://www.flixster.com ---------------------------------------------------------------- Overview: Flixster is a social networking site focused around movie reviews. It includes features such as the ability for individual users to review and rate films and to compare their ratings with invited friends to assess compatibility in film tastes. Recently they claimed to have surpassed 5 million registered users. Description: Flixster service is vulnerable to cross-site scripting (XSS) and HTML injection. Input passed directly to the "message" parameter is not properly sanitised before being returned to the user. Search feature is vulnerable as well. The vulnerability can be exploited to execute arbitrary HTML code and script code in the user's browser session. Flixster allows to include links in the user profile and messages, making these flaws even more easily to exploit. ---------------------------------------------------------------- Details: 1) Message param XSS http://www.flixster.com/user/[user]?message= Hello%20world!<script>alert(document.cookie);</script> http://www.flixster.com/homepage.do?message= Hello%20world!<script>alert(document.cookie);</script> 2) Search XSS http://www.flixster.com/movies.do?movieAction=doMovieSearch& search="><script>alert(document.cookie)%3B<%2Fscript>&x=44&y=14 ---------------------------------------------------------------- Vulnerability Status: Vendor was notified on 3.31.2007. Flixster is no longer vulnerable to these exploitation methods. ---------------------------------------------------------------- Disclaimer: The information in this advisory is provided "as is" without warranty of any kind. Details provided are strictly for educational and defensive purposes. Syhunt is not liable for any damages caused by direct or indirect use of the information provided by this advisory. --- Credit: Alec Storm, Syhunt Security Research Team, www.syhunt.com
Current thread:
- Syhunt: Flixster Cross-Site Scripting Vulnerabilities Alec Storm (Apr 24)