A few days ago, I accidentally discovered a security flaw in a public forum dedicated to a well-known security software solution. No “high-level” attack but something really dumb. During the registration process, I pasted a wrong string in the registration page. My clipboard still contained some basic HTML tags.
All of them were accepted by the website, correctly processed and displayed in the output HTML code. Hmmm… I tried to register the following user name:
my<script>alert("xss");</script>login
Really dumb isn’t it? Bingo!
My user name was accepted and saved in the forum database. I was able to log in and on all pages where my login was displayed, the same dialog box appeared. Fail!
I immediately looked for some contact information (at least an e-mail address) or a feedback online form, nothing! I posted a message on the forum requesting a private contact with a webmaster. A few hours later, a guy tagged as “forum admin” answered my post and asked me (always via the public forum) to give more details. My answer was: “No, please contact me via e-mail” (they have it as I registered). Finally, a few hours later still waiting for some feedback, I asked to delete my account. It was cleared a few hours later.
One week later, noting changed, the XSS vulnerability is still present in this forum. I found this vulnerability by mistake and would like to simply report it to the right person. But nobody was aware of my request… Please, webmasters, have a look at what append on your websites and try to keep a safe communication channel to report problems such this one!