Full Disclosure – Symantec Website Vulnerable to XSS

Posted by admin on Aug 10, 2010 in Full Disclosure, Month of Full Disclosure, WebAppSec, XSS |

(Cross Site Scripting)I saw a post by d3v1l of http://security-sh3ll.blogspot.com/ where he posts a discovery of a cross site scripting issue on the Symantec site.

I remembered that I had found a similar issue a while back and hadn’t got round to disclosing it to them, so I therefore guess its fine to include in the month of full disclosure.

And with that I give you a new Symantec XSS bug.

Symantec XSS

Symantec XSS

Notes about the bug are as follows.

the issue is caused by Symantec not checking that html comments cannot be ended via user input. So all I had to do was to close the HMTL comment tag and then insert any code I saw fit. In this case a very simple JavaScript Alert box as is the norm with demonstrating XSS bugs and I also added a little Iframe.

1 Comment

l33t
Feb 11, 2011 at 4:04 am

Nice find!

Did u report this to Symantec?
Still found to be vulnerable.


 

Reply

Copyright © 2012 The Test Manager Blog All rights reserved. Theme by Laptop Geek.