On Thu, Apr 11, 2013 at 06:27:28PM +0200, Kacper Szczesniak wrote: > Hi All! > > I was looking for a 19" rack mount today and found this XSS instead: > http://allegro.pl/listing/listing.php?string=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E > > it turns out to be a custom data-headline attribute that is not properly > escaped > > tested on Firefox 20, Chrome and others need an xss filter bypass > > kacper
And? Did you report this to allegro.pl owners? Even to security@- and abuse@-addresses? How is this 0day issue? --- Henri Salo
signature.asc
Description: Digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
