Sunday, September 23, 2012

login.secureserver.net (GoDaddy webmail) XSS - fixed

A few weeks back, I notified Godaddy.com support about an XSS vulnerability on their webmail login page, login.secureserver.net. Turns out secureserver.net wasn't as secure as they had hoped it would be. The underlying problem was that they were allowing arbitrary parameters to be passed without sanitizing the input. They've since fixed it to HTML escape the characters in the params.

To give credit where credit is due, I found out not long ago that http://xss.cx found the bug a few days before I did and did a better job at reporting it. They also found more bugs around this time last year.

http://xss.cx/2012/08/08/ghdb/xss-cross-site-scripting-cwe79-capec86-javascript-injection-rest-url-parameter-example-poc-report-godaddycom.html

And before that...

http://xss.cx/2011/09/16/ghdb/dork-xss-reflected-cross-site-scripting-cwe79-capec86-javascript-injection-insecure-configuration-weak-programming-http-cookie-without-secure-flag-set-injection-example-poc-report-01.html#2.12

Screenshots of my POC bugs below. Pity that I couldn't get it to work on a WebKit-based browser ; (