Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] XSS Vector at www.titus.de

from [batchwork] Network Security [Permanent Link]
Subject: [Full-disclosure] XSS Vector at www.titus.de
Date: Fri, 26 May 2006 04:54:26 +0200 (CEST) 
TITUS is a large german mailorder for skateboards and extreme sports
related stuff. On the TITUS Homepage you can find a damn huge community
(about 20.000 registered user).

Inside the community a registred member can send IMs to other users, send
eMails via web interface and drop orders to the mailorder.

At the community rush hour nearly 5000 users are online at the same time. Easy
to figure out what will happen when an XSS worm hits the site.

And thats the point. The webmailer system offers an offensive vector for XSS
attacks. If you send a mail (no need to type an receiver adress) with the 
following content, you have successfully executed a custom (malicious) script
on the page:

-
"><script type="text/javascript">alert(document.cookie);</script><a href="
-

I've already sent a mail to the technical team at titus.de, but there wasn't
an answer neither a fix.

Greetings,
Batchwork

--
freemail adverts:

Viel oder wenig? Schnell oder langsam? Unbegrenzt surfen + telefonieren
ohne Zeit- und Volumenbegrenzung? DAS TOP ANGEBOT JETZT bei Arcor: günstig
und schnell mit DSL - das All-Inclusive-Paket für clevere Doppel-Sparer,
nur  44,85 ?  inkl. DSL- und ISDN-Grundgebühr!
http://www.arcor.de/rd/emf-dsl-2

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] XSS Vector at www.titus.de, batchwork <=
Previous by Date:  [Full-disclosure] Re: Finding Function in IAT tables, Randhir Vayalambrone
Next by Date:  [Full-disclosure] XSS Vector at www.emopunk.de, batchwork
Previous by Thread:  [Full-disclosure] VulnSale: Windows Vista Exploit, 0x80
Next by Thread:  [Full-disclosure] XSS Vector at www.emopunk.de, batchwork
Indexes:  [Date] [Thread] [Top] [All Lists]