Full Disclosure mailing list archives
XSS vulnerabilty on eenmiljardseconden.frankdeboosere.be
From: Yvan Janssens <Yvan.Janssens () vasco com>
Date: Mon, 16 Jul 2012 07:23:39 +0000
Hello, I found an XSS vulnerability in http://eenmiljardseconden.frankdeboosere.be/ . This vulnerability was possible due to invalid input validation/bad programming. The owner was contacted and a satiric fix was deployed. Affected site: http://eenmiljardseconden.frankdeboosere.be/ (media stunt of Flemish television weather forecast presentator) Details: After entering a message on the "Stuur een bericht naar de toekomst"-page, you are presented an unique number of your request, to track it. You were then redirected to http://eenmiljardseconden.frankdeboosere.be/messagesent/id/[number of your request]. The number could be replaced by any value to inject content into the page. It is now solved, and if you try to execute it again, you get a link to Rick Astley's "Never gonna give you up" on YT. Timeline: 2012-05-29 - discovery and owner notification. 2012-05-30 - Fix 2012-05-31 - Disclosure at 42(at)discuss.hackerspaces.be mailinglist. Regards, Yvan Janssens
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- XSS vulnerabilty on eenmiljardseconden.frankdeboosere.be Yvan Janssens (Jul 16)
- Re: XSS vulnerabilty on eenmiljardseconden.frankdeboosere.be coderman (Jul 16)
- Re: XSS vulnerabilty on eenmiljardseconden.frankdeboosere.be Dodi Ara (Jul 16)
- Re: XSS vulnerabilty on eenmiljardseconden.frankdeboosere.be coderman (Jul 16)