The site at http://eenmiljardseconden.frankdeboosere.be/ had a cross site scripting issue and resolved it. What makes this noteworthy is that they took the high road and rickrolled any future attempts. More sites should add humor to their fixes.
fab0483fa163dbeb5095052167d50d9d23809032c0545626a35845f4b78fa07eHello,
I found an XSS vulnerability in http://eenmiljardseconden.frankdeboosere.be/ . This vulnerability was possible due to invalid input validation/bad programming. The owner was contacted and a satiric fix was deployed.
Affected site:
http://eenmiljardseconden.frankdeboosere.be/
(media stunt of Flemish television weather forecast presentator)
Details:
After entering a message on the "Stuur een bericht naar de toekomst"-page, you are presented an unique number of your request, to track it. You were then redirected to http://eenmiljardseconden.frankdeboosere.be/messagesent/id/[number of your request]. The number could be replaced by any value to inject content into the page.
It is now solved, and if you try to execute it again, you get a link to Rick Astley's "Never gonna give you up" on YT.
Timeline:
2012-05-29 - discovery and owner notification.
2012-05-30 - Fix
2012-05-31 - Disclosure at 42(at)discuss.hackerspaces.be mailinglist.
Regards,
Yvan Janssens
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed