Flemish Television Cross Site Scripting

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1047055 漏洞类型
发布时间 2012-07-17 更新时间 2012-07-17
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2012070114
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
Hello,

I found an XSS vulnerability in http://eenmiljardseconden.frankdeboosere.be/ . This vulnerability was possible due to invalid input validation/bad programming. The owner  was contacted and a satiric fix was deployed.

Affected site:
http://eenmiljardseconden.frankdeboosere.be/
(media stunt of Flemish television weather forecast presentator)
Details:
After entering a message on the "Stuur een bericht naar de toekomst"-page, you are presented an unique number of your request, to track it. You were then redirected to http://eenmiljardseconden.frankdeboosere.be/messagesent/id/[number of your request]. The number could be replaced by any value to inject content into the page.

It is now solved, and if you try to execute it again, you get a link to Rick Astley's  "Never gonna give you up" on YT.
Timeline:
2012-05-29 - discovery and owner notification.
2012-05-30 - Fix
2012-05-31 - Disclosure at 42(at)discuss.hackerspaces.be mailinglist.


Regards,
Yvan Janssens