XSS at Cnn.com – again

In August we saw a cross-domain injection type XSS report from CLPWN related to Cnn.com.

The target was Search.cnn.com.

This week, Xssed.com reports about the new issue.

According to the ‘Additional information’ field of the report

XSS in the “Get your local weather and news” form

No exact string was given.

Additionally, the Xssed database lists the issue as Unfixed.

  • http://kaneda.bohater.net Kanedaa

    String is on captured picture :]] Its still Unfixed.

  • http://blog.fukami.io fukami

    Well, it’s also possible to use same of their Flash movies to perform XSS. You can find a fancy example at sla.ckers: http://sla.ckers.org/forum/read.php?2,16684,16735#msg-16735

  • http://networksecurity.typepad.com/ Juha-Matti

    Yeah, maybe there are no extra character after < / script>
    [spaces added to avoid errors]

    A very simple XSS vuln :)

  • Sali

    what the f can be done with a xss in a news site??!!

  • http://www.whiteacid.org/ Sid

    We could for instance say that tennis players have quit their career to become CISCO certified administrators :D

  • http://clpwn.com clpwn

    you could use the XSS to make the page say ‘CNN hacked by ‘

    and then distribute the link to a few selected stupid people

    and then sit back and watch as the media promotes the ‘CNN hacked by ‘ meme and turns a silly boring XSS hoax into a new fun way to hack things!

  • MoshBat

    That’s my XSS!
    And the original script was alert(“Hello Nick”);
    I was In a IT lesson at the time, and made an alert in the nice little box to my friend.
    I never knew that this was “big” enough to even get any notice…