Wednesday, January 1, 2014

XSS - Falha de Segurança no Portal das Finanças (portaldasfinancas.gov.pt)

Written by   on   in , ,   with 4 comments
Bem e para começar o ano aqui vai mais uma descoberta e desta vez, num site governamental que tem uma utilização constante por parte dos portugueses.

Sobre

Titulo: XSS não persistente no Portal das Finanças (Área de Registo)
Risco: Alto
Data da Descoberta: Dezembro
Código Injectado: "><script>alert(document.cookie)</script><input
Autor: Manuel Sousa (me)

Passos para Reproduzir

1. Abrir http://www.portaldasfinancas.gov.pt/pt/adesaoForm.action, com o Firefox ou Internet Explorer, para ver a alertbox em javascript.
2. Injectar o payload no identificador do formulario, neste caso usei o email (adesaoForm.action?email=/payload/): "><script>alert(document.cookie)</script><input
3. Ver o resultado final =]

Depois de comunicado ao departamento de segurança responsável pelo portal, eis a resposta.





Outras partes do portal vulneráveis:


Disclosure Timeline


Dezembro 25, 2013 ás 01:00 (WET Time): Vulnerabilidade Descoberta
Dezembro 29, 2013 ás 20:39 (WET Time): Bug Reportado
Dezembro 30, 2013 ás 17:43 (WET Time): Resposta por parte do Departamento de Informática
Vulnerabilidade corrigida: Ainda não
Share:

4 comments:

  1. UnknownMarch 17, 2022 at 7:32 AM

    Harrahs Casino - Jordan 16 Retro
    Harrahs Casino has a huge range of slot how to find air jordan 18 retro men machines in the jordan 18 white royal blue from us rooms. bestest air jordan 18 retro red suede They have a selection of over 700 titles that have different types of air jordan 18 stockx on sale game. You can play at buy air jordan 18 retro red Harrah's

    ReplyDelete
  2. UnknownApril 3, 2022 at 6:35 PM

    The King Casino Review - SEGPORTS.COM
    The bsjeon.net King Casino review was 출장안마 written by https://deccasino.com/review/merit-casino/ Chief Executive Officer John Cook as follows: · Established https://septcasino.com/review/merit-casino/ in 2017, The King Casino was one of the first online ventureberg.com/ casinos available to US

    ReplyDelete
  3. dagmariajackquesNovember 9, 2022 at 4:30 AM

    The greatest trick to get better odds to beat slots is to choose video games with a theoretical Return to 메리트카지노 Player above 96%. You discover a list of the 12 greatest slot machines to play right on this table. Most slot bonuses allow you to play for free only a particular number of slot machines. All information about what video games are half of} every supply are included within the terms and situations.

    ReplyDelete
  4. AnonymousDecember 8, 2022 at 10:27 AM

    The aim is to get the debt decreased by 50% and in some cases that might happen. However, after charges and late payments, the outcome extra typically is a 25% discount. Debt Management Program – This might be be} one of the debt-relief choices that suits your situation. A debt management program will cut back the interest rate on credit card debt to someplace round 8% so you unlock money that will cut back your debt. You typically owe a number of} people or collectors money plain and easy. Once the addiction has been handled, it’s time to deal with the 온라인카지노 debts that resulted.

    ReplyDelete