Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Libsyn Cross Site Scripting

🗓️ 02 Dec 2012 00:00:00Reported by MustLiveType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 26 Views

Cross-Site Scripting vulnerability found in Libsyn platform with potentially millions of affected web site

Code
`Hello list!  
  
As you can see from my publications for last five years, I like holes which  
are placed at hundreds or millions of web sites. Since my 2008's article XSS  
vulnerabilities in 215000 flash files  
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2008-November/004655.html)  
till last advisories about vulnerabilities in JW Player and other  
flash-files, which are hosted at millions of sites. For example, any  
vulnerability in WordPress (such as XSS in swfupload) are spread on more  
58,4 million web sites (by wordpress.com statistics). And now I'll tell you  
about vulnerability at one hosting platform which has potentially up to  
million of web sites.  
  
Here is Cross-Site Scripting vulnerability in libsyn platform (Liberated  
Syndication). There are a lot of vulnerable web sites with this XSS on it  
(including security sites).  
  
According to Google (site:libsyn.com -site:www.libsyn.com):  
  
At 27.09.2012 there were results: 1890000  
At 01.12.2012 there were results: 2080000  
  
It's about pages of all subdomains. But we can take some average number of  
pages per site and find the number of sites - approximately it'll be from  
100000 till 1 million web sites. The developers haven't fixed vulnerability  
for more then two months, even I've informed them multiple times.  
  
----------  
Details:  
----------  
  
XSS (WASC-08):  
  
Here is example at one web site at libsyn:  
  
http://dyned.libsyn.com/webpage/category/%3Cbody%20onload=alert(document.cookie)%3E  
  
------------  
Timeline:  
------------   
  
2012.09.27 - Found vulnerability in platform and checked it at multiple  
libsyn sites.  
2012.09.27 - Informed developers via e-mail and contact form. Site's contact  
form answered that they would reply shortly.  
2012.10.13 - Still no answer. Resent letter via contact form and to e-mail  
of domain owner.  
2012.12.01 - Still the same. Disclosed to Full-disclosure.  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Dec 2012 00:00Current
7.4High risk
Vulners AI Score7.4
cross-site scriptinglibsyn platformvulnerability disclosurewebsecurityfull-disclosurexssweb sites
26