[IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02].
Although new browsers have already patched this issue, it is still a security flaw.
According to a research here http://www.ie6countdown.com/
6.1% of the world’s population still uses IE6
22.2% of population in china also still uses IE6
The reflected xss is located here
The value of the parameter ‘media’ will be inserted into the img src.
On the 8th of August 2013, I reported a persistent cross site scripting vulnerability on freelancer.com
Alexa Ranking: 90
Talking with Alan Schaaf (CEO of imgur) made my day. He’s nice and have a good sense of humour!
Reported on October 12 2012 and Fixed on October 13 2012.
The vulnerability is located in the real name parameter during registration. During registration, attackers could insert malicious payloads into the ‘real name’ parameter. Basically, every page that the name of the attacker account gets printed will execute the malicious code. It can also be use with XSRF to further exploit the vulnerability.
This vulnerability is reported on 10 November 2012 and fixed on 24 November 2012.
The bug fixing process went very smoothly, thanks to the great engineer team!