Advertisements

 Just another summer XSS in Digg.com

Written by DP

Wednesday, 4 July 2007

Just another XSS vuln affecting Digg. Zuppergazi - a very active author - discovered it and notified us. Although we could not reproduce the last XSS in Digg (the reason being that it was promptly fixed), this time we were able to mirror it, and want to believe that the author has already contacted their staff in order to let them know about the issue. We also contacted Digg - just to make sure that the associated possible risks are kept to the minimum severity.

Currently, this XSS works with the latest version of Internet Explorer. Most probably it does not work with Firefox.

Input from http://digg.com/search?section=news&s= is not properly validated.

It can be exploited by malicious users to compromise user accounts, "digg bomb" stories and perform cross-site request forgeries (CSRF) - as with most XSS.

It is almost a certainty that this XSS is not the last one. Digg has suffered in the past from XSS vulnerabilities, but fixed them all pretty quick:

http://www.xssed.com/news/25/Digg.com_is_vulnerable_to_another_XSS/ - March 2007

http://www.oreillynet.com/onlamp/blog/2005/11/digg_vulnerable_to_xss.html

http://ha.ckers.org/blog/20060628/digg-is-vulnerable-to-xss/


        
Advertisements
Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.