Penske Media Cross-site Scripting

Update 05-Jan-2013:

All reported issues has been fixed. Packet Storm entry has been updated: http://packetstormsecurity.com/files/118249/Penske-Media-Corporation-Cross-Site-Scripting.html

_____________________

 

Original situation:

Multiple Penske Media Corporation (http://www.pmc.com) web-sites are vulnerable to reflected Cross-site Scripting attacks. Vulnerable sites 20-Nov-2012:

Variety.com, La411.com, NewYork411.com and Deadline.com

_____________________

Update 27-Nov-2012:

Senior Director of Engineering at PMC contacted me shortly after this post. Security issues are being addressed in effective manner.

Deadline.com  – Issue has been fixed during Thanksgiving holiday

According to PMC, rest of the vulnerabilities should be fixed in the near future.

_____________________

Packet storm advisory: http://packetstormsecurity.org/files/118249/Penske-Media-Corporation-Cross-Site-Scripting.html

I reported the findings initially to various contacts at Variety on 16-Oct-2012. All reporting attempts apparently failed, because there has been no response.

Users should be careful and avoid clicking on the links that are pointing to XSS vulnerable domains.

Example screen-shots:

Deadline.com XSS

Variety.com XSS

Advertisements
Tagged ,

2 thoughts on “Penske Media Cross-site Scripting

  1. shpendk says:

    pretty tough.. congratz..

  2. jannefi says:

    As you can see from the update, PMC has been actively working on the fixes after they saw the advisory. My original vulnerability report did not reach the correct persons. PMC clearly takes security issues seriously.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: