/usr/portage

Easy friend-finding for social retarded 0

Found an XSS-injection on Qype which has enabled a user to inject malicious JavaScript into his profile in order to automatically become a friend of every visitor. As Qype is implemented in Rails they are using Prototype as a JavaScript library which made it pretty easy to implement a fitting exploit:

"><script>new Ajax.Request('/contact/create?to_user_id=16992', {method: 'post'})</script>

Qype has fixed the issue.

Filed on 26-06-2007, 10:10 under , , & no comments & no trackbacks

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

No comments

Add a Comment & let me know what you think