Persistent XSS and SQL Injection Flaws on ESET Taiwan Website Fixed

2012-10-31

Eduard Kovacs

http://news.softpedia.com/news/Persistent-XSS-and-SQL-Injection-Flaws-on-ESET-Taiwan-Website-Fixed-303376.shtml

Security researcher Rafay Baloch has identified a persistent cross-site scripting (XSS) vulnerability and an SQL Injection flaw on the official website of ESET Taiwan (eset.tw).

"The search box is vulnerable. Once the user inserts an inverted comma into the box, the alert is executed. This, at first, looked like a self XSS, however it can be exploited by using clickjacking techniques, since X-frame header is not set, making the page render in an IFRAME," the expert told Softpedia when he uncovered the issues.

The SQL Injection, on the other hand, could have been exploited by a remote attacker to gain access to the site's databases.

For his findings and for practicing responsible disclosure, ESET Security team officially thanked him and provided the researcher with a license for ESET Smart Security.

"Your information has helped us and our partner responsible for the site to improve security of online services and has prevented malicious exploitation of these vulnerabilities," ESET representatives told Baloch.
main page ATTRITION feedback