Lucene search
K

Weather Channel Cross Site Scripting

🗓️ 27 Nov 2014 00:00:00Reported by Jing WangType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 29 Views

Weather Channel XSS Vulnerability patche

Code
`*The Weather Channel weather.com <http://weather.com/> Almost All Links  
Vulnerable to XSS Attacks*  
  
  
  
  
  
Domain Description:  
  
http://www.weather.com/  
  
  
"The Weather Channel is an American basic cable and satellite television  
channel which broadcasts weather forecasts and weather-related news and  
analyses, along with documentaries and entertainment programming related to  
weather."  
  
  
"As of August 2013, The Weather Channel was received by approximately  
99,926,000 American households that subscribe to a pay television service  
(87.50% of U.S. households with television), making it the most common  
cable channel in the country." (Wikipedia)  
  
  
  
  
  
  
*Vulnerability description:*  
  
  
Almost all links under the domain weather.com are vulnerable to XSS  
attacks. Attackers just need to add script at the end of The Weather  
Channel's URLs. Then the scripts will be executed.  
  
  
10 thousands of Links were tested based a self-written tool. During the  
tests, 76.3% of links belong to weather.com were vulnerable to XSS attacks.  
  
  
The reason of this vulnerability is that Weather Channel uses URLs to  
construct its tags without filtering malicious script codes.  
  
  
The vulnerability can be attacked without user login. Tests were performed  
on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.  
  
  
  
  
  
*POC Codes, e.g.*  
  
http://www.weather.com/slideshows/main/"--/>"><img src=x  
onerror=prompt('justqdjing')>  
  
http://www.weather.com/home-garden/home/white-house-lawns-20140316%22--/"--/>"><img  
src=x onerror=prompt('justqdjing')>t%28%27justqdjing%27%29%3E  
  
http://www.weather.com/news/main/"><img src=x onerror=prompt('justqdjing')>  
  
  
  
  
  
  
*POC Video:*  
  
https://www.youtube.com/watch?v=Ij78WnzKB4M&feature=youtu.be  
  
  
*Blog Details:*  
  
http://securityrelated.blogspot.sg/2014/11/the-weather-channel-weather.html  
  
  
  
  
  
The Weather Channel has patched this Vulnerability in late November, 2014  
(last Week).  
  
  
  
  
  
  
  
  
  
Reported by:  
  
Wang Jing, School of Physical and Mathematical Sciences, Nanyang  
Technological University, Singapore.  
  
http://www.tetraph.com/wangjing/  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

27 Nov 2014 00:00Current
7.4High risk
Vulners AI Score7.4
29