Sunday, September 23, 2012 (GoDaddy webmail) XSS - fixed

A few weeks back, I notified support about an XSS vulnerability on their webmail login page, Turns out wasn't as secure as they had hoped it would be. The underlying problem was that they were allowing arbitrary parameters to be passed without sanitizing the input. They've since fixed it to HTML escape the characters in the params.

To give credit where credit is due, I found out not long ago that found the bug a few days before I did and did a better job at reporting it. They also found more bugs around this time last year.

And before that...

Screenshots of my POC bugs below. Pity that I couldn't get it to work on a WebKit-based browser ; (