Thursday 14 February 2013

[EN] LinkedIn.com XSS - update

After few weeks, now I can publish all information about linkedin.com vulnerability.

--------------------------------------------------------------------------------
 Title  :  Persistent XSS in LinkedIn.com
--------------------------------------------------------------------------------
 Date   :  06.12.2012
--------------------------------------------------------------------------------
 Vendor :  www.LinkedIn.com
--------------------------------------------------------------------------------


1. What is it?
--------------------------------------------------------------------------------
  LinkedIn.com - it is a big portal for people who are looking for
  a job or for past and present colleagues.

2. Where is the bug?
--------------------------------------------------------------------------------
  I found that LinkedIn is vulnerable to persistent cross-site scripting.
 
  Logged-in user is able to add XSS code to this site.

3. PoC
--------------------------------------------------------------------------------
  Proof-of-concept code will not be disclosed to public before it will be secured.
 
  * When you are logged in at LinkedIn, choose one person from your contact list
  * and go to this profile. In the middle (and right side) of profile-page,
  * you will have 'edit tag' form. This is the vulnerable place.
  * Malicious user, can add here 100-character long string to exploit this
  * vulnerability, for example:
' > " > < img src=x onerror= alert ( / hi / ) >.

4. Contact
--------------------------------------------------------------------------------
 * http://hauntit.blogspot.com
 * http://portswigger.net
 * http://www.linkedin.com

Tuesday 12 February 2013

osCommerce 2.3.3 shell via CSRF

Few days ago I wrote about persistent XSS attack possible in latest osCommerce (2.3.3).

Today, new strony about osCommerce:
public available exploit  for  csrf in latest version.

Enjoy ;)