Sep
8
2010
Uncategorized

Maggwire.com XSS Vulnerability

Luis Santana of the HackTalk Security Team has discovered a Reflective XSS Vulnerability in the Maggwire.com website.

maggwire.com XSS Cross Site Scripting vulnerability

The search function of the maggwire.com website is vulnerable to Reflective XSS which allows an attacker to inject arbitrary HTML or Javascript into the website. The following PoC url illustrates successful exploitation of the vulnerability.

http://www.maggwire.com/search?q=%27%3E%22%3E%3Cimg%20src=http://hacktalk.net/pwnt.png%20/%3E&x=0&y=0

Solution

We recommend sanitizing the GET request for the ‘q’ variable in the search function using the PHP htmlspecialchars(); function to prevent attacks like this from occurring.

About the Author:

Get Adobe Flash player