An Indian Security Researcher , Suriya has discovered A reflected xss vulnerability in the AOL website, an American global brand company that develops, grows, and invests in brands and web sites.
Initially , the researcher discovered the xss vulnerability in Dmoz. After notifying the "In partnership with AOL search" text in the Dmoz website, he decided to test the AOL also for the vulnerability and got success.
According to Researcher, the vulnerability was discovered five months ago. He immediately tried to contact the AOL Security team. Unfortunately, he is not able to find the contact address for the security team, so he tried to contact some emails provided in the site but they failed to respond properly.
After few months, he published the vulnerability details in his own blog on October 2012. But the XSS vulnerability is still there and unfixed.
POC code for the AOL xss:
"You might be wondering why I included the alexa.com rank for the site’s, that’s cause I wanted to show you all how even a small site has more instinctive to fix a vulnerability but AOL with its hundreds of workers could not even bother giving me a proper reply." Suriya said.
"Well I really dint know. But I think I wanted to show the world how people treat us and to tell AOL to follow the path of Paypal , Microsoft etc allowing people to at least securely report vulnerabilities ,even if you are not paying them at least acknowledge the people who give time and resources out of their lives to help you!"
Initially , the researcher discovered the xss vulnerability in Dmoz. After notifying the "In partnership with AOL search" text in the Dmoz website, he decided to test the AOL also for the vulnerability and got success.
According to Researcher, the vulnerability was discovered five months ago. He immediately tried to contact the AOL Security team. Unfortunately, he is not able to find the contact address for the security team, so he tried to contact some emails provided in the site but they failed to respond properly.
AOL xss |
After few months, he published the vulnerability details in his own blog on October 2012. But the XSS vulnerability is still there and unfixed.
POC code for the AOL xss:
http://www.aol.com/?icid=';alert(String.fromCharCode(69, 32, 72, 97, 99, 107, 105, 110, 103, 32, 78, 101, 119, 115))//'POC code for the Dmoz:
http://www.dmoz.org/search?q="><script>alert("E Hacking News")</script>
Dmoz XSS |
"You might be wondering why I included the alexa.com rank for the site’s, that’s cause I wanted to show you all how even a small site has more instinctive to fix a vulnerability but AOL with its hundreds of workers could not even bother giving me a proper reply." Suriya said.
"Well I really dint know. But I think I wanted to show the world how people treat us and to tell AOL to follow the path of Paypal , Microsoft etc allowing people to at least securely report vulnerabilities ,even if you are not paying them at least acknowledge the people who give time and resources out of their lives to help you!"