[VulnWatch] Syhunt: Flixster Cross-Site Scripting Vulnerabilities

From: Alec Storm (alec@syhunt.com)
Date: Tue Apr 24 2007 - 12:58:36 EDT

• Next message: Cisco Systems Product Security Incident Response Team: "[VulnWatch] Cisco Security Advisory: Default Passwords in NetFlow Collection Engine"
• Previous message: Alec Storm: "[VulnWatch] Syhunt: Google Talk (gTalk) HTML Injection Technique"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Syhunt: Flixster Cross-Site Scripting Vulnerabilities

Advisory-ID: 200731031
Discovery Date: 3.31.2007
Release Date: 4.24.2007
Affected Applications: Flixter service
Class: Cross-Site Scripting (Cookie-Theft), HTML Injection
Status: Patched by Flixster
Vendor: Flixster, Inc
Vendor URL: http://www.flixster.com

----------------------------------------------------------------

Overview:
Flixster is a social networking site focused around movie
reviews. It includes features such as the ability for individual
users to review and rate films and to compare their ratings with
invited friends to assess compatibility in film tastes.
Recently they claimed to have surpassed 5 million registered
users.

Description:
Flixster service is vulnerable to cross-site scripting (XSS) and
HTML injection. Input passed directly to the "message" parameter
is not properly sanitised before being returned to the user.
Search feature is vulnerable as well. The vulnerability can be
exploited to execute arbitrary HTML code and script code in the
user's browser session. Flixster allows to include links in the
user profile and messages, making these flaws even more easily
to exploit.

----------------------------------------------------------------

Details:
1) Message param XSS

http://www.flixster.com/user/[user]?message=
Hello%20world!<script>alert(document.cookie);</script>

http://www.flixster.com/homepage.do?message=
Hello%20world!<script>alert(document.cookie);</script>

2) Search XSS

http://www.flixster.com/movies.do?movieAction=doMovieSearch&
search="><script>alert(document.cookie)%3B<%2Fscript>&x=44&y=14

----------------------------------------------------------------

Vulnerability Status:
Vendor was notified on 3.31.2007. Flixster is no longer
vulnerable to these exploitation methods.

----------------------------------------------------------------

Disclaimer:
The information in this advisory is provided "as is" without
warranty of any kind. Details provided are strictly for
educational and defensive purposes.

Syhunt is not liable for any damages caused by direct or
indirect use of the information provided by this advisory.

---
Credit:
Alec Storm, Syhunt Security Research Team, www.syhunt.com

• Next message: Cisco Systems Product Security Incident Response Team: "[VulnWatch] Cisco Security Advisory: Default Passwords in NetFlow Collection Engine"
• Previous message: Alec Storm: "[VulnWatch] Syhunt: Google Talk (gTalk) HTML Injection Technique"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:21:53 EDT