0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Libsyn Cross Site Scripting Vulnerability
[As you can see from my publications for last five years, I like holes which are placed at hundreds or millions of web sites. Since my 2008's article XSS vulnerabilities in 215000 flash files (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2008-November/004655.html) till last advisories about vulnerabilities in JW Player and other flash-files, which are hosted at millions of sites. For example, any vulnerability in WordPress (such as XSS in swfupload) are spread on more 58,4 million web sites (by wordpress.com statistics). And now I'll tell you about vulnerability at one hosting platform which has potentially up to million of web sites. Here is Cross-Site Scripting vulnerability in libsyn platform (Liberated Syndication). There are a lot of vulnerable web sites with this XSS on it (including security sites). According to Google (site:libsyn.com -site:www.libsyn.com): At 27.09.2012 there were results: 1890000 At 01.12.2012 there were results: 2080000 It's about pages of all subdomains. But we can take some average number of pages per site and find the number of sites - approximately it'll be from 100000 till 1 million web sites. The developers haven't fixed vulnerability for more then two months, even I've informed them multiple times. ---------- Details: ---------- XSS (WASC-08): Here is example at one web site at libsyn: http://dyned.libsyn.com/webpage/category/%3Cbody%20onload=alert(document.cookie)%3E ------------ Timeline: ------------ 2012.09.27 - Found vulnerability in platform and checked it at multiple libsyn sites. 2012.09.27 - Informed developers via e-mail and contact form. Site's contact form answered that they would reply shortly. 2012.10.13 - Still no answer. Resent letter via contact form and to e-mail of domain owner. 2012.12.01 - Still the same. Disclosed to Full-disclosure. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua # 0day.today [2024-09-28] #