[Full-disclosure] THQ website has multiple SQL injection bugs, and a reflected XSS

[Harry Balls <thqaredumbasses@xxxxxxxxx>]

This is pretty much because I want to embarrass these assholes. See: 
http://gamepolitics.com/2010/06/14/exec-thq-anti-used-game-initiative-could-make-everyone-happy

SQLi 1: 
http://www.thq.com/us/mythq/register?contentType=GAMEALERT&alertGame='4896

This one is pretty obvious. It's an injection via $_GET. The funniest part is 
that they don't just allow injection. They serve up the whole PHP source of the 
page for you. Giving you table names, and the actual syntax of the query being 
used.

SQLi 2:
The next one is an injection via POST in their registration form here: 
http://www.thq.com/us/mythq/register

I used burpsuite to inject it by editing the HTTP requests but you can probably 
just enter whatever you want right in the form. I used the UK subdomain for 
testing: http://uk.thq.com/uk/mythq/register. This one also shows the source.

Next one is your typical reflected XSS:

http://www.thq.com/us/search/index?keyw=%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E

I hope this is enough to put off anyone who was thinking of buying shit from 
them.
Would you trust this company with your credit card information when they can't 
even properly sanitize a registration form?
These probably aren't even the only security bugs on their site. This is just 
after 10 minutes of pentesting. Do yourself a favor and stay far far away from 
this company. They have no clue about security and obviously don't give a shit 
about their customers.

BOYCOTT THQ



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/