Full Disclosure mailing list archives
Re: http://www.heise.de - Cross-site Scripting vulnerability
From: osaft <osaft () lavabit com>
Date: Sat, 12 Jan 2013 12:07:52 +0100
On Thu, 10 Jan 2013 19:47:25 +0100 Stefan Schurtz <sschurtz () t-online de> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: heise.de - Cross-site Scripting vulnerability Advisory ID: SSCHADV2013-002 Author: Stefan Schurtz Affected Software: Successfully tested on heise.de Vendor URL: http://www.heise.de Vendor Status: fixed ========================== Vulnerability Description ========================== http://www.heise.de is prone to a XSS vulnerability ========================== PoC-Exploit ========================== http://www.heise.de/foto/galerie/suche/photo/?suchwort=" onMouseMove=alert(document.cookie) ' ========================== Solution ========================== fixed ========================== Disclosure Timeline ========================== 03-Jan-2013 - informed heise Security 04-Jan-2012 - fixed by developer ========================== Credits ========================== Vulnerability found and advisory written by Stefan Schurtz.
Now thats valeable information. Thank god that you informed about this groundbreaking issue, Stefan. I will update my personal heise.de right away. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- http://www.heise.de - Cross-site Scripting vulnerability Stefan Schurtz (Jan 10)
- Re: http://www.heise.de - Cross-site Scripting vulnerability osaft (Jan 12)