Full Disclosure – Symantec Website Vulnerable to XSS
I saw a post by d3v1l of http://security-sh3ll.blogspot.com/ where he posts a discovery of a cross site scripting issue on the Symantec site.
I remembered that I had found a similar issue a while back and hadn’t got round to disclosing it to them, so I therefore guess its fine to include in the month of full disclosure.
And with that I give you a new Symantec XSS bug.
Symantec XSS
Notes about the bug are as follows.
the issue is caused by Symantec not checking that html comments cannot be ended via user input. So all I had to do was to close the HMTL comment tag and then insert any code I saw fit. In this case a very simple JavaScript Alert box as is the norm with demonstrating XSS bugs and I also added a little Iframe.
Nice find!
Did u report this to Symantec?
Still found to be vulnerable.