XSS Exploiting via Old Browsers Flaw‏ on Pinterest.com

The flaw is an Image XSS using the JavaScript directive affecting the following browsers
[IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02].
Although new browsers have already patched this issue, it is still a security flaw.
According to a research here http://www.ie6countdown.com/
6.1% of the world’s population still uses IE6
22.2% of population in china also still uses IE6

The reflected xss is located here
pinterest.com/pin/create/button/?&media=javascript:alert(1)
The value of the parameter ‘media’ will be inserted into the img src.

<img src="javascript:alert(1)" class="pinPreviewImg" style="">

Hence javascript will be executed

pinterestxss

Leave a Reply