lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 20 Jun 2014 15:04:02 +0200
From: "Roberto Garcia Amoriz" <roberto.garcia@...aramo.com>
To: <fulldisclosure@...lists.org>
Subject: [FD] XSS on Panasonic site

								- XSS on
Panasonic site-

****************************************************************************
***************************************
Advisory: security.panasonic.com – Cross-Site Script Vulnerability (XSS)
Advisory ID:  969061
Author: Roberto Garcia (@1gbDeInfo)
Affected Software: Successfully tested on  security.panasonic.com Vendor
URL: http://security.panasonic.com 
Vendor Status: reported 2 times but not solved
****************************************************************************
***************************************


**************************
Vulnerability Description
**************************

The website " security.panasonic.com " is prone to a XSS vulnerability.

This vulnerability involves the ability to inject arbitrary and unauthorized
javascript code. A malicious script inserted into a page in this manner can
hijack the user’s session, submit unauthorized transactions as the user,
steal confidential information, or simply deface the page.


**************************
PoC-Exploit
**************************

 
http://vftr.panasonic.co.jp/en/search.x?q=data%3Atext%2Fhtml%2C%3Cscript%3Ea
lert%280%29%3C%2Fscript%3E&x=0&y=0&ie=ISO-8859-1

 
http://vftr.panasonic.co.jp/en/search.x?q=data%3Atext%2Fhtml%2C%3Cscript%3Ea
lert%28document.cookie%29%3C%2Fscript%3E&x=0&y=0&ie=utf8


**************************
Solution
**************************

  Reported 2 times but not solved

**************************
Disclosure Timeline
**************************

- Report vuln Jun 4, 2014 via email to samuel.garcia@....eu.panasonic.com

- Reported again via web Jun 12, 2014. They answer me:

	Dear Mr. Garcia, 
	Thank you for your prompt e-mail reply. 
	egarding your enquiry, I am writing to confirm having forwarded your
message to the corresponding department.
 
	Kind Regards, 
	Teo
	Customer Service Team 
	Panasonic UK

**************************
Afected sites:

  - vftr.panasonic.co.jp
  - security.panasonic.com
  - panasonic.ney

**************************


**************************
Credits
**************************

----------------------------------------------------------------------------
--------------
Vulnerability found and advisory written by Roberto Garcia (@1gbDeInfo)
----------------------------------------------------------------------------
--------------

Best regards.

Roberto Garcia Amoriz

Linkedin: es.linkedin.com/in/rogaramo/
Web:  http://www.1gbdeinformacion.com
Twitter: @1gbdeinfo




_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists