| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <006f01cf8c88$1bd8aee0$538a0ca0$@rogaramo.com> Date: Fri, 20 Jun 2014 15:04:02 +0200 From: "Roberto Garcia Amoriz" <roberto.garcia@...aramo.com> To: <fulldisclosure@...lists.org> Subject: [FD] XSS on Panasonic site - XSS on Panasonic site- **************************************************************************** *************************************** Advisory: security.panasonic.com Cross-Site Script Vulnerability (XSS) Advisory ID: 969061 Author: Roberto Garcia (@1gbDeInfo) Affected Software: Successfully tested on security.panasonic.com Vendor URL: http://security.panasonic.com Vendor Status: reported 2 times but not solved **************************************************************************** *************************************** ************************** Vulnerability Description ************************** The website " security.panasonic.com " is prone to a XSS vulnerability. This vulnerability involves the ability to inject arbitrary and unauthorized javascript code. A malicious script inserted into a page in this manner can hijack the users session, submit unauthorized transactions as the user, steal confidential information, or simply deface the page. ************************** PoC-Exploit ************************** http://vftr.panasonic.co.jp/en/search.x?q=data%3Atext%2Fhtml%2C%3Cscript%3Ea lert%280%29%3C%2Fscript%3E&x=0&y=0&ie=ISO-8859-1 http://vftr.panasonic.co.jp/en/search.x?q=data%3Atext%2Fhtml%2C%3Cscript%3Ea lert%28document.cookie%29%3C%2Fscript%3E&x=0&y=0&ie=utf8 ************************** Solution ************************** Reported 2 times but not solved ************************** Disclosure Timeline ************************** - Report vuln Jun 4, 2014 via email to samuel.garcia@....eu.panasonic.com - Reported again via web Jun 12, 2014. They answer me: Dear Mr. Garcia, Thank you for your prompt e-mail reply. egarding your enquiry, I am writing to confirm having forwarded your message to the corresponding department. Kind Regards, Teo Customer Service Team Panasonic UK ************************** Afected sites: - vftr.panasonic.co.jp - security.panasonic.com - panasonic.ney ************************** ************************** Credits ************************** ---------------------------------------------------------------------------- -------------- Vulnerability found and advisory written by Roberto Garcia (@1gbDeInfo) ---------------------------------------------------------------------------- -------------- Best regards. Roberto Garcia Amoriz Linkedin: es.linkedin.com/in/rogaramo/ Web: http://www.1gbdeinformacion.com Twitter: @1gbdeinfo _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists