On November 30, 2011 I reported to US-CERT that I found multiple XSS vulnerabilities in Demand Media's Pluck SiteLife software. The details of the vulnerabilities (now patched) were published yesterday as US-CERT Vulnerability Note VU#400619.
Heres the original report I sent to US-CERT and on November 30, 2012:
I would like to report multiple XSS vulnerabilities.
Here are the vulnerability details for Pluck:
This demonstrates multiple XSS vulnerabilities in the Pluck SiteLife Software. According to a sales associate, "The SiteLife product was rolled into a broad social/community platform offering about 2.5 years ago. It's simply called Pluck now and Pluck 5 is the latest version." The version of Pluck that is exploitable is unknown by me at this time.
Here are a few of the known vulnerable URL's and URL parameters:
In addition to the "cv", "jsonRequest", and "r" parameters, the "ctk" parameter is also vulnerable in some instances.
Here is a proof of concept affecting the pluck.com domain: http://sitelife.pluck.com/ver1.0/direct/process?referrerURL=x&jsonRequest=<body%20onload=alert(1)//>
Here are SOME of the sites that appear to be using the vulnerable SiteLife software. ...
I go on to list over 40 popular websites running Pluck SiteLife software that have the vulnerability, which I won't list here.
Tomorrow, I will post an in-depth look at XSS in Ajax Web Applications and tell you why some of these vulnerabilities were Internet Explorer specific.