unisfair.com was hosting registration for a "Cloud Computing Security" webinar. CJI noticed a form didn't appear to sanitize special characters, threw in the magic XSS string and voila. When notifying them, their response is odd. First, they claim to know about it. Second, they want his phone number, as if calling him will somehow make everything better.
From: cji (cji[at]attrition.org) To: email@example.com, firstname.lastname@example.org, email@example.com Date: Wed, 4 Nov 2009 21:13:20 +0000 (UTC) Subject: XSS in Unisfair Registration Page Hello, I noticed that your registration page contains a Cross-site Scripting (XSS) flaw. The 'code' parameter is not validated when sent to index.jsp. If you're not familiar with XSS, please review this link: http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 An example of the XSS in your site is: http://events.unisfair.com/index.jsp?eid=474&seid=173&code=CC5J"><script>alert('Fluffy Clouds and Happy Squirrel Conference')</script> Please respond back with a planned remediation. I follow the RFPolicy for full disclosure, and expect a response within 5 days (hopefully sooner) acknowledging this issue. http://www.wiretrip.net/rfp/policy.html Regards, cji attrition.org
From: Joerg Rathenberg (JoergR@unisfair.com) To: cji[at]attrition.org Date: Fri, 6 Nov 2009 13:12:30 -0500 Subject: FW: XSS in Unisfair Registration Page Hi Thank you for your message. We are actually aware of this vulnerability and in the process of fixing it. But I am not aware of your organization and why you have contacted us about this. Please provide me a phone number to call you. Thanks, Joerg Rathenberg Senior Director Marketing (650) 330 2162
From: cji (cji[at]attrition.org) To: Joerg Rathenberg (JoergR@unisfair.com) Date: Fri, 6 Nov 2009 20:59:57 +0000 (UTC) Subject: Re: FW: XSS in Unisfair Registration Page On Fri, 6 Nov 2009, Joerg Rathenberg wrote: : Thank you for your message. We are actually aware of this vulnerability : and in the process of fixing it. Great! It's a pretty simple fix. : : But I am not aware of your organization and why you have contacted us : about this. I'm not contacting you on behalf of any organization. I received an invitation to a 'virtual conference' you were hosting, and noticed the issue when I visited the registration page. I politely pointed it out to you, finding it rather ironic that a conference for a security organization dealing with "securing the cloud" would have such a simple vulnerability. Please feel free to read about other ironic incidents here (http://attrition.org/errata/irony.html) : Please provide me a phone number to call you. You had an obvious bug in your page, I told you about it. If an engineer or developer needed to discuss XSS and remediation efforts that would be one thing, but I don't see how a phone call with the "Senior Director Marketing" would be necessary. : Thanks, You're very welcome!