[<prev] [next>] [day] [month] [year] [list]
From: webmaster at q-cat.com (Nick Price)
Subject: Xanga Cross Site Scripting Vunerability - GNAA
Security Center
Vendor: Xanga
URL: http://www.xanga.com/
Versions: Current
Remote: Yes
Vendor notified: 04 Nov 2004 at 16:48
Vendor response: NONE
Summary:
~~~~~~~
Xanga is a fully featured blogging system, it
provides great control over look & feel of a users
blog by allowing HTML with only basic checks.
Xanga has well over 2.5 million users and millions
of page views every hour.
A security vulnerability in sitemessage.aspx
allows malicious users to cause a legitimate-looking page to execute external code or display malicious content.
Examples Code:
~~~~~~~~~~~~~~~~~~~~~~~~
http://www.xanga.com/sitemessage.aspx?user=%3Cimg%20src=%22http://www.gnaa.us/images/gnaa.png%22%3E
Impact:
~~~~~
External code can be run from security domain of Xanga.com, possibility of posting malicious content such as fake login forms or malicious scripts.
Vendor:
~~~~~
Vendor was informed months ago but we have recieved no reply.
Credits:
~~~~~
The GNAA Security Team: http://www.gnaa.us/
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.298 / Virus Database: 265.6.7 - Release Date: 12/30/2004
Powered by blists - more mailing lists