Orkut suffered from a cross site scripting vulnerability.
db1549deb503e0b9be8f7cda798c073812d06cd25c35097adc9392f8943a4b0f
Patched as of 12/12/2009.
All the test procedure along with snapshot is attached in the mail.
*The vulnerability exists in Video section of orkut. I took following steps
to exploit the vulnerability:
1) Login in Orkut account.
2) In your video section, click on "edit description".
3) Now enter the following script which will create a button named "Click
here",
The script is mentioned in Attached file:-
* *<input name=btnI type=submit value="Click here" class=lsb
"onfocus="alert(123) ">
4) Now as this script is onfocus. So click on that button created by this
script.
5) Now an alert box appear, which shows that the script is executed
successfully.*
Thanks & Regards,
Sanjay Kumar
sanjay1519841@gmail.com