OKCupid server error pages suffered from a cross site scripting vulnerability.
55b9edd72c42fe42439c54b83648a6ae9a40cbf862490bd921f0a61780685848Title: OKCupid Server Error Page XSS
Severity: High
CVE-ID: CVE-2014-3148
Re-release: 20 September 2014
Author: Kenneth F. Belva
Websites: http://silverbackventuresllc.com
http://xssWarrior.com
http://securitymaverick.com
Twitter: @infosecmaverick
Contact: Please use website contact form.
Mail:
URL: https://github.com/okws/okws
Vendor:
Remote Exploit: Yes
Description:
============
A non-existent page triggers the vulnerable XSS page.
Proof of Concept :
==================
http://okcupidserver/none/[code]
Various URLs :
==================
Public Release:
https://twitter.com/infosecmaverick/status/462573038299803648
Hacker1:
https://hackerone.com/reports/3317
Git Credit and Correction:
https://github.com/okws/okws/commit/e9bedb644d106a043e33e1058bedd1c2c0b2e2e0
Solution:
=========
Upgrade.
Remarks:
========
Thanks to @Sidnicious at OKCupid for such a quick fix and responsiveness
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed