[Full-disclosure] XSS vulnerabilty on eenmiljardseconden.frankdeboosere.be

[Yvan Janssens]

Hello,

I found an XSS vulnerability in http://eenmiljardseconden.frankdeboosere.be/ . 
This vulnerability was possible due to invalid input validation/bad 
programming. The owner  was contacted and a satiric fix was deployed.

Affected site:
http://eenmiljardseconden.frankdeboosere.be/
(media stunt of Flemish television weather forecast presentator)
Details:
After entering a message on the Stuur een bericht naar de toekomst-page, you 
are presented an unique number of your request, to track it. You were then 
redirected to 
http://eenmiljardseconden.frankdeboosere.be/messagesent/id/[number of your 
request]. The number could be replaced by any value to inject content into the 
page.

It is now solved, and if you try to execute it again, you get a link to Rick 
Astley's  Never gonna give you up on YT.
Timeline:
2012-05-29 - discovery and owner notification.
2012-05-30 - Fix
2012-05-31 - Disclosure at 42(at)discuss.hackerspaces.be mailinglist.


Regards,
Yvan Janssens
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] XSS vulnerabilty on eenmiljardseconden.frankdeboosere.be

[coderman]

On Mon, Jul 16, 2012 at 12:23 AM, Yvan Janssens yvan.janss...@vasco.com wrote:

 I found an XSS vulnerability in http://eenmiljardseconden.frankdeboosere.be/
 . This vulnerability was possible due to invalid input validation/bad
 programming. The owner  was contacted and a satiric fix was deployed.
 ...
 It is now solved, and if you try to execute it again, you get a link to Rick
 Astley’s  “Never gonna give you up” on YT.

priceless! ++

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/