mailing list archives
Multiple XXS vulnerabilities at http://www.shopathometv.com
From: "secure poon" <suckure () gmail com>
Date: Sun, 10 Jun 2007 01:54:13 -0700
http://wwww.shopathometv.com, A popular website whos television program runs
late night on local syndicated television is vulnerable to multiple xxs
flaws. While shopping their site last night, they did not have a product I
was looking for when I entered an item number so I decided to test a few
The main search box input is not sanitized on the front page. Simply go to
http://www.shopathometv.com and in their product search box type in
<script>alert(document.cookie);</script> hit the Go inside the circle. When
the page finishes loading if you are a user signed up (have'nt tested not
signed up) you will get displayed all of your session variables.
On the The following page there is an xxs inside the showTitle GET variable.
Click the link below
Sanitize all input variables.
not be shopping there until this is fixed.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/