XSS vulnerability through the search results page.
The search query is sent as a GET parameter and is not escaped when rendered in the search form on the page, neither in a javascript tag or in the HTML value attribute. This allows code to be executed directly from a malicious URL.
There was some protection where the site returned a 403 if you attempted to put onload or onhover events. This a bad case of trying to whitelist specific JavaScript events in an attempt to prevent XSS.
<form name="Search" action="javascript:startSearch( document.getElementById('search').value, 'bob');alert('bob');startSearch('bob', null, '#search', true )">
<div class="large-12 arial columns">
<div class="small-box-9 columns">
<input title="search" class="no-bottom" id="search" type="search" size="21"
maxlength="120" value='bob');alert('bob');startSearch('bob' name="vgnextkeyword"
onblur="if(this.value == ''){this.value ='bob');alert('bob');startSearch('bob'}" />
</div>
<div class="small-box-3 columns">
<button class="button" type="submit">Search</button>
</div>
</div>
</form>
Reported Fixed Unknown
Back