Responsible Disclosure: [REDACTED] XSS


Legacy websites are a constant source of vulnerabilities. In a fit of excitement, a team commissions a service and then never bothers updating it. Quite often the original owners leave the business and there's no-one left who remembers that the service exists. So it sits there, vulnerable, for years.

The [REDACTED] website had a subdomain which was running KANA's IQ software which was last updated in 2010. At least, that's judging by the fact it ran jQuery 1.4.4. Most routes into the site redirected properly to their modern website. But a few pages remained accessible. And, sadly, one of those pages was vulnerable to a rather boring XSS flaw.

Posting 'onmouseover="alert('xss')" to a specific page was enough to rewrite its HTML, and produce this:

A pop-up on a website. The HTML code shows the data has been injected.

Now, POSTed XSS are harder to exploit, and relying on the user's mouse to interact with the page makes it less likely to trigger. But, with sufficient determination, an attacker could craft malicious content which could phish the user or otherwise display unwanted content.

Unfortunately, that's about all I can say. When I asked to publicly disclose, I got this in response.

Timeline

  • 2021-07-06 Discovered. Asked for a VDP on Twitter and their public security centre.
  • 2021-07-07 [REDACTED]'s CERT invited me to their private BugCrowd programme. Bug disclosed.
  • 2021-07-09 Triaged as P4. US$100 bounty and 5 BugCrowd points
  • 2021-07-13 Payment received. Request to disclose.
  • 2021-07-20 I noticed the vulnerability had been fixed.
  • 2021-07-29 Request to disclose again. Refused!
  • 2021-08-07 Published on this blog

Share this post on…

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">