Paid Advertising is
ha.ckers sla.cking
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In xss
Posted by: peekay
Date: September 08, 2008 11:30PM

Canadian coffee:

Search box not validating anything:

</span><img src="INSERT_FAVORITE.GIF">

Seems to accept only POSTs and all output gets converted to uppercase (can be bypassed by simple encoding I presume.)

Help improve?

Edited 1 time(s). Last edit at 09/08/2008 11:32PM by peekay.

Options: ReplyQuote
Re: xss
Posted by: C1c4Tr1Z
Date: September 09, 2008 12:11AM

I only have found some XSS but with POST requests.

But if you are searching for bugs, there's a nice SQL Injection..

[[url=]Voodoo Research Group[/url]]
[[url=] forum[/url]]

Options: ReplyQuote
Re: xss
Posted by: Kyo
Date: September 09, 2008 01:03PM


Options: ReplyQuote
Re: xss
Posted by: peekay
Date: September 14, 2008 08:46AM

Thanks Kyo handy link ;-)

Keeping with the Canadian theme, Humber College had a similar problem:

Disclosed Mon Sept 8, fixed a couple of days later! (by replacing their custom search with Google, for better or worse.) Kudos Humber for taking action.

Options: ReplyQuote

Sorry, only registered users may post in this forum.