mpaa-xss.txt
Posted on 06 December 2007
As many of you have heard, the MPAA themselves are violating the GNU GPL. Such hypocrisy from a company which claims they adhere to copyrights :-) In protest, I took exactly 7 seconds to locate an XSS in their website and am posting it for your perusal. Maybe someone can use it in an email to an MPAA staff member, and perhaps can modify the payload to steal credentials for some MPAA admin interface. And perhaps then, after gaining MPAA credentials, this person can modify the MPAA website. And perhaps after that, we can all laugh at the MPAA yet again in their quest to sue 12 year old kids for downloading MP3 files... There are many more XSS on their site. Everyone knows that if you find one bug on top (without much effort), there are many more security issues hiding beneath the surface. I leave it up to the MPPA-haters out there to dig deeper and use it to "influence" the MPAA website... Here's one for the 'txtsearch' search field on the main page at MPAA.org in the top right-hand corner where it says 'Find the rating of a film'... ERR"></tr></table></td><script>alert('xss');</script> -- Kristian Erik Hermansen "I have no special talent. I am only passionately curious." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/